https://github.com/chains-project/dirty-waters-action
Break the build if your supply chain is dirty
Science Score: 36.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
○CITATION.cff file
-
✓codemeta.json file
Found codemeta.json file -
✓.zenodo.json file
Found .zenodo.json file -
○DOI references
-
○Academic publication links
-
✓Committers with academic emails
1 of 2 committers (50.0%) from academic institutions -
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (11.3%) to scientific vocabulary
Repository
Break the build if your supply chain is dirty
Basic Info
Statistics
- Stars: 1
- Watchers: 6
- Forks: 0
- Open Issues: 9
- Releases: 12
Metadata Files
README.md
dirty-waters-action
This action runs Dirty Waters on your repository to analyze dependencies for Software Supply Chain (SSC) issues. Add this workflow to your repository to analyze dependencies in your pull requests (change/add inputs as needed -- details in action.yml). An example of a workflow that uses this action is available in example_workflow.yml.
The action will:
- Run on commits that modify dependency files
- Analyze dependencies for software supply chain smells
- Post results:
- If in a PR, will post the report as a comment by default if CI fails
- Otherwise, results are available in the action logs; if CI fails, the report may also be posted as a comment in the commit, if enabled
- Break CI if high severity issues are found, if enabled
As an important note, the first time you run this action, it will take quite some time! However, after the first run, subsequent ones should be fast.
SSC issues currently checked for:
- No source code links (or invalid ones) for a dependency
- Provided release tag/commit SHA not found in a dependency's repository
- Dependency being a fork of another package
- Deprecated dependency
- Dependency without build attestation
- Dependency without code signature (or an invalid one)
- Aliased dependencies
Inputs
| Input | Description | Required | Default | | --------------------- | -------------------------------------------------------------------------------------------------- | -------- | -------------------------- | | githubtoken | | Yes | - | | projectrepo | Repository name (owner/repo) | No | {{ github.repository }} | | versionold | Base version/ref to analyze, | No | - | | versionnew | New version/ref for diff analysis | No | - | | differentialanalysis | Whether to perform differential analysis (true/false) | No | false | | packagemanager | Package manager (npm, yarn-classic, yarn-berry, pnpm, maven) | Yes | - | | namematch | Compare the package names with the name in the in the package.json file. Will slow down execution. | No | false | | specifiedsmells | Specify the smells to check for | No | all | | debug | Enable debug mode | No | false | | config | Path to the configuration file, relative to your project's root | No | - | | gradualreport | Enable gradual report functionality | No | true | | failonhighseverity | Fail CI on high severity issues | No | true | | xtofail | Percentage threshold to break CI on high or medium severity issues (per type of issue) | No | 5% of packages | | allowprcomment | Post analysis results as a PR comment if CI breaks | No | true | | commentoncommit | Post analysis results as a commit comment if CI breaks | No | false | | githubeventbefore | GitHub event before SHA, to retrieve the previous cache key | No | ${{ github.event.before }} | | ignore_cache | Ignore the repository cache for this run (true/false) | No | false |
Owner
- Name: CHAINS research project at KTH Royal Institute of Technology
- Login: chains-project
- Kind: organization
- Website: https://chains.proj.kth.se
- Repositories: 9
- Profile: https://github.com/chains-project
"Consistent Hardening and Analysis of Software Supply Chains" at KTH, funded by SSF
GitHub Events
Total
- Create event: 82
- Release event: 12
- Issues event: 14
- Delete event: 13
- Issue comment event: 22
- Member event: 1
- Push event: 226
- Pull request review event: 8
- Pull request review comment event: 7
- Gollum event: 5
- Pull request event: 52
Last Year
- Create event: 82
- Release event: 12
- Issues event: 14
- Delete event: 13
- Issue comment event: 22
- Member event: 1
- Push event: 226
- Pull request review event: 8
- Pull request review comment event: 7
- Gollum event: 5
- Pull request event: 52
Committers
Last synced: over 1 year ago
Top Committers
| Name | Commits | |
|---|---|---|
| Diogo Gaspar | d****r@k****e | 76 |
| renovate[bot] | 2****] | 5 |
Committer Domains (Top 20 + Academic)
Issues and Pull Requests
Last synced: 11 months ago
All Time
- Total issues: 10
- Total pull requests: 45
- Average time to close issues: 3 days
- Average time to close pull requests: 4 days
- Total issue authors: 4
- Total pull request authors: 2
- Average comments per issue: 0.1
- Average comments per pull request: 0.96
- Merged pull requests: 35
- Bot issues: 2
- Bot pull requests: 19
Past Year
- Issues: 10
- Pull requests: 45
- Average time to close issues: 3 days
- Average time to close pull requests: 4 days
- Issue authors: 4
- Pull request authors: 2
- Average comments per issue: 0.1
- Average comments per pull request: 0.96
- Merged pull requests: 35
- Bot issues: 2
- Bot pull requests: 19
Top Authors
Issue Authors
- randomicecube (7)
- ericcornelissen (1)
- github-actions[bot] (1)
- renovate[bot] (1)
Pull Request Authors
- randomicecube (26)
- renovate[bot] (19)