Delete Signed-Tags check from Scorecard (#851)

Co-authored-by: Azeem Shaikh <azeems@google.com>
ossf · Aug 12, 2021 · d4701c4 · d4701c4
1 parent 29fbdae
commit d4701c4
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 200 deletions.
diff --git a/README.md b/README.md
@@ -59,7 +59,6 @@ Packaging                   | Does the project build and publish official packag
 SAST                        | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [SonarCloud](https://sonarcloud.io)?
 Security-Policy             | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)?
 Signed-Releases             | Does the project cryptographically [sign releases](https://wiki.debian.org/Creating%20signed%20GitHub%20releases)?
-Signed-Tags                 | Does the project cryptographically sign release tags?
 Token-Permissions           | Does the project declare GitHub workflow tokens as [read only](https://docs.github.com/en/actions/reference/authentication-in-a-workflow)?
 Vulnerabilities             | Does the project have unfixed vulnerabilities? Uses the [OSV service](https://osv.dev).
 
@@ -85,7 +84,6 @@ The program can run using just one argument, the URL of the repo:
 ```shell
 $ go get github.com/ossf/scorecard/v2
 $ scorecard --repo=github.com/kubernetes/kubernetes
-Starting [Signed-Tags]
 Starting [Automatic-Dependency-Update]
 Starting [Frozen-Deps]
 Starting [Fuzzing]
@@ -116,7 +114,6 @@ Finished [Automatic-Dependency-Update]
 Finished [Frozen-Deps]
 Finished [Fuzzing]
 Finished [Pull-Requests]
-Finished [Signed-Tags]
 Finished [Branch-Protection]
 Finished [Code-Review]
 Finished [SAST]
@@ -139,7 +136,6 @@ Pull-Requests: Pass 10
 SAST: Fail 10
 Security-Policy: Fail 5
 Signed-Releases: Fail 10
-Signed-Tags: Fail 10
 Token-Permissions: Pass 10
 ```
 
@@ -186,7 +182,6 @@ Starting [Pull-Requests]
 Starting [SAST]
 Starting [Security-Policy]
 Starting [Signed-Releases]
-Starting [Signed-Tags]
 Finished [Signed-Releases]
 Finished [Fuzzing]
 Finished [CII-Best-Practices]
@@ -197,7 +192,6 @@ Finished [SAST]
 Finished [Code-Review]
 Finished [Branch-Protection]
 Finished [Frozen-Deps]
-Finished [Signed-Tags]
 Finished [Active]
 Finished [Pull-Requests]
 Finished [Contributors]
@@ -217,7 +211,6 @@ Pull-Requests: Fail 9
 SAST: Fail 10
 Security-Policy: Pass 10
 Signed-Releases: Fail 0
-Signed-Tags: Fail 10
 ```
 
 ### Running specific checks

diff --git a/checks/signed_tags.go b/checks/signed_tags.go
diff --git a/docs/checks.md b/docs/checks.md
@@ -147,19 +147,6 @@ It works by looking for filenames: *.minisig (https://github.com/jedisct1/minisi
 - Attach the signature file next to the release archive.
 - For GitHub, check out the steps [here](https://wiki.debian.org/Creating%20signed%20GitHub%20releases).
 
-## Signed-Tags 
-
-This check looks for cryptographically signed tags in the last 5 tags.
-Signed tags attest the author of a commit. A low score is considered 'Medium' risk.
-The check does not verify the signature itself and currently relies on GitHub's verification. 
-
-**Remediation steps**
-- Generate a new signing key.
-- Add your key to your source hosting provider.
-- Configure your key and email in git.
-- Publish the tag and then sign it with this key.
-- For GitHub, check out the steps [here](https://docs.github.com/en/github/authenticating-to-github/signing-tags#further-reading).
-
 ## Token-Permissions 
 
 This check tries to determine if a project's GitHub workflows follow the principle of least privilege, i.e. if the GitHub tokens are set read-only by default.

diff --git a/docs/checks/checks.yaml b/docs/checks/checks.yaml
@@ -278,22 +278,6 @@ checks:
       - >-
         For GitHub, check out the steps
         [here](https://wiki.debian.org/Creating%20signed%20GitHub%20releases).
-  Signed-Tags:
-    risk: Medium
-    description: >-
-      This check looks for cryptographically signed tags in the last 5 tags.
-
-      Signed tags attest the author of a commit. A low score is considered 'Medium' risk.
-
-      The check does not verify the signature itself and currently relies on GitHub's verification.
-    remediation:
-      - Generate a new signing key.
-      - Add your key to your source hosting provider.
-      - Configure your key and email in git.
-      - Publish the tag and then sign it with this key.
-      - >-
-        For GitHub, check out the steps
-        [here](https://docs.github.com/en/github/authenticating-to-github/signing-tags#further-reading).
   Token-Permissions:
     risk: High
     description: >-

diff --git a/e2e/executable_test.go b/e2e/executable_test.go
@@ -20,6 +20,8 @@ import (
 
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
+
+	"github.com/ossf/scorecard/v2/checks"
 )
 
 type scorecard struct {
@@ -50,34 +52,29 @@ var _ = Describe("E2E TEST:executable", func() {
 
 			for _, c := range data.Checks {
 				switch c.CheckName {
-				case "Active":
+				case checks.CheckActive:
 					Expect(c.Pass).Should(BeTrue(), c.CheckName)
-				case "Branch-Protection":
+				case checks.CheckBranchProtection:
 					Expect(c.Pass).Should(BeTrue(), c.CheckName)
-				case "CI-Tests":
+				case checks.CheckCITests:
 					Expect(c.Pass).Should(BeTrue(), c.CheckName)
-				case "CII-Best-Practices":
+				case checks.CheckCIIBestPractices:
 					Expect(c.Pass).Should(BeFalse(), c.CheckName)
-				case "Code-Review":
+				case checks.CheckCodeReview:
 					Expect(c.Pass).Should(BeTrue(), c.CheckName)
-				case "Contributors":
+				case checks.CheckContributors:
 					Expect(c.Pass).Should(BeTrue(), c.CheckName)
-				case "Frozen-Deps":
+				case checks.CheckPinnedDependencies:
 					Expect(c.Pass).Should(BeTrue(), c.CheckName)
-				case "Fuzzing":
+				case checks.CheckFuzzing:
 					Expect(c.Pass).Should(BeFalse(), c.CheckName)
-				case "Packaging":
-					Expect(c.Pass).Should(BeTrue(), c.CheckName)
-				case "Pull-Requests":
+				case checks.CheckPackaging:
 					Expect(c.Pass).Should(BeTrue(), c.CheckName)
-				case "SAST":
+				case checks.CheckSAST:
 					Expect(c.Pass).Should(BeTrue(), c.CheckName)
-				case "Security-Policy":
+				case checks.CheckSecurityPolicy:
 					Expect(c.Pass).Should(BeTrue(), c.CheckName)
-				case "Signed-Releases":
-					Expect(c.Confidence).ShouldNot(Equal(10))
-					Expect(c.Pass).Should(BeFalse(), c.CheckName)
-				case "Signed-Tags":
+				case checks.CheckSignedReleases:
 					Expect(c.Confidence).ShouldNot(Equal(10))
 					Expect(c.Pass).Should(BeFalse(), c.CheckName)
 				}

diff --git a/e2e/signedtags_test.go b/e2e/signedtags_test.go