Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): Included dependency review #1792

Merged
merged 3 commits into from
Apr 30, 2022
Merged

chore(deps): Included dependency review #1792

merged 3 commits into from
Apr 30, 2022

Conversation

naveensrinivasan
Copy link
Contributor

Dependency Review GitHub Action in your repository to enforce dependency reviews on your pull requests.
The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests,
and warns you about the associated security vulnerabilities.
This gives you better visibility of what's changing in a pull request,
and helps prevent vulnerabilities being added to your repository.

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
Signed-off-by: naveensrinivasan 172697+naveensrinivasan@users.noreply.github.com

@naveensrinivasan
chore(deps): Included dependency review
7593fd5 
> Dependency Review GitHub Action in your repository to enforce dependency reviews on your pull requests.
> The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests,
> and warns you about the associated security vulnerabilities.
> This gives you better visibility of what's changing in a pull request,
> and helps prevent vulnerabilities being added to your repository.

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
@naveensrinivasan
Copy link
Contributor Author

@cpanato 👀

@codecov-commenter
Copy link

codecov-commenter commented Apr 23, 2022
edited
Loading

Codecov Report

Merging #1792 (feeaf98) into main (c96ebb4) will increase coverage by 1.34%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #1792      +/-   ##
==========================================
+ Coverage   31.51%   32.85%   +1.34%     
==========================================
  Files         145      147       +2     
  Lines        8913     9346     +433     
==========================================
+ Hits         2809     3071     +262     
- Misses       5765     5919     +154     
- Partials      339      356      +17
Impacted Files Coverage Δ
pkg/cosign/kubernetes/webhook/validation.go 74.00% <0.00%> (-6.77%) ⬇️
pkg/cosign/kubernetes/webhook/validator.go 77.70% <0.00%> (-4.86%) ⬇️
pkg/cosign/rego/rego.go 71.42% <0.00%> (-1.30%) ⬇️
cmd/cosign/cli/sign/sign.go 14.36% <0.00%> (-0.34%) ⬇️
cmd/cosign/cli/sign.go 0.00% <0.00%> (ø)
cmd/cosign/cli/attest.go 0.00% <0.00%> (ø)
cmd/cosign/cli/verify.go 0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify.go 0.00% <0.00%> (ø)
cmd/cosign/cli/sign/sign_blob.go 0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify_blob.go 10.42% <0.00%> (ø)
... and 11 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c96ebb4...feeaf98. Read the comment docs.

hectorj2f
hectorj2f previously approved these changes Apr 25, 2022
View reviewed changes
@hectorj2f hectorj2f assigned hectorj2f and unassigned hectorj2f Apr 25, 2022
@hectorj2f hectorj2f requested a review from dlorenc April 25, 2022 10:30
cpanato
cpanato requested changes Apr 26, 2022
View reviewed changes
.github/workflows/depsreview.yml Outdated Show resolved Hide resolved
@cpanato
Copy link
Member

cpanato commented Apr 26, 2022

@naveensrinivasan please sign the DCO

@naveensrinivasan
Update depsreview.yml
a8c214a 
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
@naveensrinivasan naveensrinivasan force-pushed the naveen/feat/deps-review branch from 4d1e463 to a8c214a Compare April 26, 2022 14:34
@naveensrinivasan
Copy link
Contributor Author

@naveensrinivasan please sign the DCO

Done! Thanks

cpanato
cpanato previously approved these changes Apr 26, 2022
View reviewed changes
@naveensrinivasan
Update depsreview.yml
feeaf98 
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
@naveensrinivasan naveensrinivasan force-pushed the naveen/feat/deps-review branch from 39c032d to feeaf98 Compare April 29, 2022 15:03
@dlorenc dlorenc merged commit e74f180 into sigstore:main Apr 30, 2022
@github-actions github-actions bot added this to the v1.9.0 milestone Apr 30, 2022
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
@naveensrinivasan @mlieberman85
chore(deps): Included dependency review (sigstore#1792)
762b096 
* chore(deps): Included dependency review

> Dependency Review GitHub Action in your repository to enforce dependency reviews on your pull requests.
> The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests,
> and warns you about the associated security vulnerabilities.
> This gives you better visibility of what's changing in a pull request,
> and helps prevent vulnerabilities being added to your repository.

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>

* Update depsreview.yml

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>

* Update depsreview.yml

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpanato cpanato cpanato approved these changes

@hectorj2f hectorj2f hectorj2f left review comments

@dlorenc dlorenc Awaiting requested review from dlorenc

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.9.0
Development

Successfully merging this pull request may close these issues.
5 participants
@naveensrinivasan @codecov-commenter @cpanato @hectorj2f @dlorenc