Comments (16)
@MorAlon1 Please take a look and fix it 🙏🏽
from chain-bench.
@rgreinho can you please give us more details about the scenario? was it public repository or private and what permissions your token includes?
from chain-bench.
@MorAlon1 Yes, the project is open source, and you should be able to to reproduce the behavior by re-running the command I pasted above.
The permissions for this particular token are:
- repo
- workflow
- admin:org -> read:org
- admin:repo_hook -> read:repo_hook
- gist
- user
- project -> read:project
from chain-bench.
@rgreinho I created a token with the permissions you mentioned before and got Unknown for rule 1.1.3, can you check again if you gave me the right permissions?
from chain-bench.
Yup, this is what I get, from the main branch:
from chain-bench.
@rgreinho - can you please check that the fix works for your case?
from chain-bench.
@morwn @MorAlon1 I just checked with the latest commit from the main branch and it did not seem to solve my issue:
But we do use 2 reviewer approvals in order for a PR to be merged.
For instance with buildsec/frsca#242, you can see that we needed an approval from me and from bradbeck before our bot (kodiak) merged the PR.
If you want to re-open this PR, I'd be happy to help you dig.
from chain-bench.
@rgreinho I'm not sure how kodiak
bot enforcing the policy. could you please enlighten me?
any case, we currently enforce the checks based on the branch protection API call:
curl \
-H "Accept: application/vnd.github+json" \
-H "Authorization: token <TOKEN>" \
https://api.github.com/repos/OWNER/REPO/branches/BRANCH/protection
so if .required_pull_request_reviews.required_approving_review_count
< 2 we fail the check.
let me know if you set the required_approving_review_count
corresponde
from chain-bench.
Sure thing! Kodiak uses the branch protection settings to decide when to merge or rebase a branch. Therefore as soon as all the branch protection criterias are met, the bot acts accordingly.
Requiring 2 reviewers is part of our branch protection settings.
from chain-bench.
What do you get when you run this api call?
curl \
-H "Accept: application/vnd.github+json" \
-H "Authorization: token <TOKEN>" \
https://api.github.com/repos/OWNER/REPO/branches/BRANCH/protection
from chain-bench.
$ curl -s -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/buildsec/frsca/branches/main/protection
{
"message": "Not Found",
"documentation_url": "https://docs.github.com/rest/reference/repos#get-branch-protection"
}
and
$ curl -s -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/buildsec/frsca/branches/main/protection/required_pull_request_reviews
{
"message": "Not Found",
"documentation_url": "https://docs.github.com/rest/reference/repos#get-pull-request-review-protection"
}
from chain-bench.
You might miss the permission for repo settings. please try to generate a scoped token based on an admin user within this repository
from chain-bench.
Oh, that is the whole point, I am not admin for this repo 🙃 So since I cannot read this property, chain-bench should return "Unknown" instead of "Failed" (since technically it is no a configuration failure, it is just that I don not have the permission to read this value).
from chain-bench.
Here is a screenshot of the branch protection settings:
from chain-bench.
Oh my bad, I reopen the issue and pushed new PR that should fix it
from chain-bench.
@morwn It worked like a charm! Great job!
from chain-bench.
Related Issues (20)
- GitLab CI/CD failed HOT 5
- How many checks are in GitLab scan HOT 1
- Self-hosted SCM support
- link to compliance rules missing trailing slash HOT 1
- Sarif report for chain-bench
- chain-bench with gitlab
- Support Bitbucket server SCM
- Remove the needs for write permissions, and/or use fine grained permission tokens
- 1.1.16 and 1.1.17 producing false positives HOT 1
- chain-bench does not work with gitlab if user id 1 does not exist
- Issue when the sub group has the same name as the repository
- Show showing all columns in the CLI table HOT 1
- output error while running the chain-bench scan HOT 12
- False positives in control `1.2.3` and control `1.2.4` HOT 1
- Does not work with corporative repository HOT 1
- scan locally a repository HOT 1
- New release? HOT 1
- Improve the output - help message HOT 2
- overview Risk HOT 1
- Using the json output is missing information about the repository HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chain-bench.