Squashed commit of the following:

commit 0ae052c Author: Stephen Augustus <foo@auggie.dev> Date: Tue May 28 11:10:53 2024 +0200 docs: Allstar is now a part of the OpenSSF Scorecard project Signed-off-by: Stephen Augustus <foo@auggie.dev> commit 3dc172e Author: Stephen Augustus <foo@auggie.dev> Date: Tue May 28 15:50:53 2024 +0200 docs: Adopt OpenSSF Scorecard contributor ladder Signed-off-by: Stephen Augustus <foo@auggie.dev> commit cc8cc68 Author: Jeff Mendoza <jlm@jlm.name> Date: Fri May 3 12:30:32 2024 -0700 Fix name of ko in cloudbuild Signed-off-by: Jeff Mendoza <jlm@jlm.name> commit 80ddc24 Author: Jeff Mendoza <jlm@jlm.name> Date: Fri May 3 12:18:56 2024 -0700 Update go modules Signed-off-by: Jeff Mendoza <jlm@jlm.name> commit 27c8070 Author: Jeff Mendoza <jlm@jlm.name> Date: Fri May 3 12:06:48 2024 -0700 Update sc client mock Signed-off-by: Jeff Mendoza <jlm@jlm.name> commit 5388811 Author: Jeff Mendoza <jlm@jlm.name> Date: Wed Mar 27 16:13:32 2024 -0700 Update scorecard and Go versions. Signed-off-by: Jeff Mendoza <jlm@jlm.name> commit 3d71f35 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri Mar 22 13:21:37 2024 +0000 Bump github.com/bradleyfalzon/ghinstallation/v2 from 2.9.0 to 2.10.0 Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.9.0 to 2.10.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.9.0...v2.10.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit f42d035 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed Mar 13 13:38:46 2024 +0000 Bump gocloud.dev from 0.36.0 to 0.37.0 Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.36.0 to 0.37.0. - [Release notes](https://github.com/google/go-cloud/releases) - [Commits](google/go-cloud@v0.36.0...v0.37.0) --- updated-dependencies: - dependency-name: gocloud.dev dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit c26edb2 Author: twelsh-aw <84401379+twelsh-aw@users.noreply.github.com> Date: Tue Mar 19 20:06:46 2024 -0400 Update issue in IssueRepo when change detected This was trying (and depending on app permissions, succeeding) at changing issue descriptions in repos directly even when IssueRepo was set. We update to obey IssueRepo config setting in this case Signed-off-by: twelsh-aw <84401379+twelsh-aw@users.noreply.github.com> commit 964a34c Author: Jeff Mendoza <jlm@jlm.name> Date: Thu Mar 7 14:23:29 2024 -0800 Switch to using a single worker Change "workers" cli option to be in pkg/config/operator and use ALLSTAR_NUM_WORKERS envvar with same default at 5. Update staging and prod config to use 1 worker to save concurrent memory usage. Signed-off-by: Jeff Mendoza <jlm@jlm.name> commit 9c5f410 Author: Jeff Mendoza <jlm@jlm.name> Date: Wed Mar 6 15:23:58 2024 -0800 Change cache to avoid memory use Orignally, the cache was intended to be long lived to handle incoming webhooks at any time. Currently, we are just polling, and just need the cache to handle a single "EnforceAll" run, where we hit the same paths multiple times in that run. Therefore, change the cache to be per-installation, and free it after each "EnforceAll". Signed-off-by: Jeff Mendoza <jlm@jlm.name> commit 24b20ac Author: Jeff Mendoza <jlm@jlm.name> Date: Fri Mar 1 14:31:05 2024 -0800 Avoid panic when workflow dir contains other dirs. Signed-off-by: Jeff Mendoza <jlm@jlm.name> commit 68e3449 Author: Jeff Mendoza <jlm@jlm.name> Date: Fri Mar 1 11:42:41 2024 -0800 Avoid panic with scorecard logs. Signed-off-by: Jeff Mendoza <jlm@jlm.name> commit c532eed Author: Jeff Mendoza <jlm@jlm.name> Date: Fri Mar 1 11:33:01 2024 -0800 Fix parsing of github action name. Signed-off-by: Jeff Mendoza <jlm@jlm.name> commit 609be43 Author: Jeff Mendoza <jlm@jlm.name> Date: Fri Mar 1 08:35:46 2024 -0800 Catch unknown scorecard check. Signed-off-by: Jeff Mendoza <jlm@jlm.name> commit 26a969c Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu Feb 29 13:13:07 2024 +0000 Bump sigstore/cosign-installer from 3.2.0 to 3.4.0 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.2.0 to 3.4.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@1fc5bd3...e1523de) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit 61a80e1 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu Feb 29 13:13:04 2024 +0000 Bump actions/dependency-review-action from 3 to 4 Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3 to 4. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@v3...v4) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> commit c4fc8c4 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed Feb 28 13:54:26 2024 +0000 Bump actions/upload-artifact from 3 to 4 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v3...v4) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> commit a4b662a Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed Feb 28 13:54:20 2024 +0000 Bump github/codeql-action from 2 to 3 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v2...v3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> commit 1192f07 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed Feb 28 13:54:13 2024 +0000 Bump golangci/golangci-lint-action from 3 to 4 Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@v3...v4) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> commit b48eddb Author: Jeff Mendoza <jlm@jlm.name> Date: Tue Feb 27 15:29:58 2024 -0800 Update a lot of go deps. Signed-off-by: Jeff Mendoza <jlm@jlm.name> commit 92f6ce6 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed Nov 8 13:31:30 2023 +0000 Bump sigstore/cosign-installer from 3.0.5 to 3.2.0 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.5 to 3.2.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@dd6b2e2...1fc5bd3) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit 83b10b5 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Sep 4 14:00:13 2023 +0000 Bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> commit 3521ed8 Author: Colm O hEigeartaigh <coheigea@apache.org> Date: Mon Jan 8 11:45:27 2024 +0000 Don't create issues for dangerous workflows when we have an inconclusive result Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org> commit 2767817 Author: Raghav Kaul <raghavkaul@google.com> Date: Wed Nov 22 20:56:33 2023 +0000 Update scorecard Signed-off-by: Raghav Kaul <raghavkaul@google.com> update scorecard Signed-off-by: Raghav Kaul <raghavkaul@google.com> commit c2c6202 Author: Raghav Kaul <raghavkaul@google.com> Date: Mon Nov 27 20:10:52 2023 +0000 Lock entire cleanup method * (Not sure if this is needed, githubclient.Close() is thread safe) Signed-off-by: Raghav Kaul <raghavkaul@google.com> commit cd0a83b Author: Raghav Kaul <raghavkaul@google.com> Date: Mon Nov 27 20:10:07 2023 +0000 Initialize scClients map once globally Signed-off-by: Raghav Kaul <raghavkaul@google.com> commit b9a43c0 Author: Raghav Kaul <raghavkaul@google.com> Date: Mon Nov 27 17:06:38 2023 +0000 Don't recreate scorecard clients multiple times Signed-off-by: Raghav Kaul <raghavkaul@google.com> commit 968a887 Author: Raghav Kaul <raghavkaul@google.com> Date: Mon Nov 27 15:49:51 2023 +0000 Parameterize max goroutines Signed-off-by: Raghav Kaul <raghavkaul@google.com> commit 00e8917 Author: Evan Anderson <evan@stacklok.com> Date: Sat Jun 24 11:33:33 2023 -0700 Rename `boolArgPtr` to 'runOnce` Signed-off-by: Evan Anderson <evan@stacklok.com> commit 1c18a33 Author: Jeff Mendoza <jlm@jlm.name> Date: Wed Nov 22 08:10:06 2023 -0800 Revert ossf#471 empty check Signed-off-by: Jeff Mendoza <jlm@jlm.name> commit 5bc0d49 Author: Raghav Kaul <raghavkaul@google.com> Date: Thu Nov 9 20:51:36 2023 +0000 update Signed-off-by: Raghav Kaul <raghavkaul@google.com> commit 210e999 Author: Raghav Kaul <raghavkaul@google.com> Date: Wed Nov 8 20:45:11 2023 +0000 Use GitHub RepositoriesService.GetContent API Signed-off-by: Raghav Kaul <raghavkaul@google.com> commit 4b3f718 Author: Raghav Kaul <raghavkaul@google.com> Date: Tue Nov 7 14:31:45 2023 +0000 Fix tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> commit 2531796 Author: Raghav Kaul <raghavkaul@google.com> Date: Mon Nov 6 20:30:18 2023 +0000 Skip empty repositories for enforcement Signed-off-by: Raghav Kaul <raghavkaul@google.com> commit 2ec2dca Author: Raghav Kaul <raghavkaul@google.com> Date: Thu Nov 16 16:26:40 2023 +0000 Update nocache condition Signed-off-by: Raghav Kaul <raghavkaul@google.com>
contentful · Jun 10, 2024 · 8d2af40 · 8d2af40
1 parent 5d69df9
commit 8d2af40
Show file tree

Hide file tree

Showing 41 changed files with 448 additions and 261 deletions.
diff --git a/.github/workflows/postmerge.yaml b/.github/workflows/postmerge.yaml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-    - uses: ossf/scorecard-action@v2.3.3
+    - uses: ossf/scorecard-action@v2.1.3
       with:
         results_file: results.sarif
         results_format: sarif

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -9,9 +9,9 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v4
       with:
-        go-version: '1.20'
+        go-version: '1.21'
         check-latest: true
-    - uses: golangci/golangci-lint-action@v6
+    - uses: golangci/golangci-lint-action@v4
       with:
         args: --timeout 3m --verbose
   build:
@@ -20,7 +20,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v4
       with:
-        go-version: '1.20'
+        go-version: '1.21'
         check-latest: true
     - run: go build -v ./...
   test:
@@ -29,7 +29,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v4
       with:
-        go-version: '1.20'
+        go-version: '1.21'
         check-latest: true
     - run: go test -v ./...
     - run: go vet ./...

diff --git a/MAINTAINERS.md b/MAINTAINERS.md
@@ -0,0 +1,23 @@
+# Maintainers
+
+## `allstar-maintainers`
+
+- @jeffmendoza
+
+## Contributors
+
+- @coheigea
+- @danielbankhead
+- @five510
+- @justaugustus
+- @markdboyd
+- @naveensrinivasan
+- @olivekl
+- @yorinasub17
+
+## Emeritus
+
+Former maintainers are listed here.
+Thanks for your contributions to Scorecard!
+
+- 
diff --git a/README.md b/README.md
@@ -48,9 +48,7 @@ that affect the security of your projects.  You can choose which security
 policies to monitor at both the organization and repository level, and how to
 handle policy violations.  You can also develop or contribute new policies.
 
-Allstar is developed under the [OpenSSF](https://openssf.org/) organization, as
-a part of the [Securing Critical Projects Working
-Group](https://github.com/ossf/wg-securing-critical-projects).
+Allstar is developed as a part of the [OpenSSF Scorecard](https://github.com/ossf/scorecard) project.
 
 ## Getting Started
 

diff --git a/cmd/allstar/main.go b/cmd/allstar/main.go
@@ -56,7 +56,8 @@ func main() {
 			supportedPoliciesMsg += policyName
 		}
 	}
-	boolArgPtr := flag.Bool("once", false, "Run EnforceAll once, instead of in a continuous loop.")
+	var runOnce bool
+	flag.BoolVar(&runOnce, "once", false, "Run EnforceAll once, instead of in a continuous loop.")
 
 	specificPolicyArg := flag.String("policy", "", fmt.Sprintf("Run a specific policy check. Supported policies: %s", supportedPoliciesMsg))
 	specificRepoArg := flag.String("repo", "", "Run on a specific \"owner/repo\". For example \"ossf/allstar\"")
@@ -79,7 +80,7 @@ func main() {
 			Msg(fmt.Sprintf("Allstar will only run on repository %s", *specificRepoArg))
 	}
 
-	if *boolArgPtr {
+	if runOnce {
 		_, err := enforce.EnforceAll(ctx, ghc, *specificPolicyArg, *specificRepoArg)
 		if err != nil {
 			log.Fatal().

diff --git a/go.mod b/go.mod
@@ -1,24 +1,149 @@
 module github.com/contentful/allstar
 
-go 1.21
-
-toolchain go1.21.4
+go 1.21.8
 
 require (
 	github.com/Masterminds/semver/v3 v3.2.1
-	github.com/bradleyfalzon/ghinstallation/v2 v2.11.0
-	github.com/evanphx/json-patch v5.9.0+incompatible
+	github.com/bradleyfalzon/ghinstallation/v2 v2.10.0
+	github.com/evanphx/json-patch/v5 v5.9.0
 	github.com/gobwas/glob v0.2.3
 	github.com/google/go-cmp v0.6.0
-	github.com/google/go-github/v50 v50.2.0
+	github.com/google/go-github/v59 v59.0.0
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
-	github.com/ossf/scorecard/v4 v4.10.5
-	github.com/rhysd/actionlint v1.7.1
-	github.com/rs/zerolog v1.33.0
+	github.com/ossf/scorecard/v4 v4.13.2-0.20240326192505-153e06d99fed
+	github.com/rhysd/actionlint v1.6.27
+	github.com/rs/zerolog v1.32.0
 	github.com/shurcooL/githubv4 v0.0.0-20210725200734-83ba7b4c9228
 	gocloud.dev v0.37.0
 	golang.org/x/sync v0.7.0
-	sigs.k8s.io/yaml v1.3.0
+	sigs.k8s.io/yaml v1.4.0
+)
+
+require (
+	cloud.google.com/go v0.112.1 // indirect
+	cloud.google.com/go/compute v1.25.0 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	cloud.google.com/go/iam v1.1.6 // indirect
+	cloud.google.com/go/secretmanager v1.11.5 // indirect
+	cloud.google.com/go/storage v1.39.1 // indirect
+	dario.cat/mergo v1.0.0 // indirect
+	deps.dev/api/v3alpha v0.0.0-20240312000934-38ffc8dd1d92 // indirect
+	github.com/BurntSushi/toml v1.3.2 // indirect
+	github.com/CycloneDX/cyclonedx-go v0.8.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v1.0.0 // indirect
+	github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect
+	github.com/aws/aws-sdk-go v1.50.36 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.7 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.7 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.4 // indirect
+	github.com/aws/smithy-go v1.20.1 // indirect
+	github.com/bombsimon/logrusr/v2 v2.0.1 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
+	github.com/containerd/typeurl/v2 v2.1.1 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/dghubble/trie v0.1.0 // indirect
+	github.com/docker/cli v25.0.3+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker v25.0.5+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.8.1 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/fatih/color v1.16.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-git/go-git/v5 v5.11.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/go-containerregistry v0.19.1 // indirect
+	github.com/google/go-github/v53 v53.2.0 // indirect
+	github.com/google/go-github/v60 v60.0.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/osv-scanner v1.7.1 // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/google/wire v0.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.2 // indirect
+	github.com/h2non/filetype v1.1.3 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-hclog v1.5.0 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+	github.com/ianlancetaylor/demangle v0.0.0-20240312041847-bd984b5ce465 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jedib0t/go-pretty/v6 v6.5.5 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/klauspost/compress v1.17.7 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/moby/buildkit v0.13.1 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
+	github.com/owenrumney/go-sarif/v2 v2.3.0 // indirect
+	github.com/package-url/packageurl-go v0.1.2 // indirect
+	github.com/pandatix/go-cvss v0.6.2 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/robfig/cron/v3 v3.0.1 // indirect
+	github.com/sergi/go-diff v1.3.1 // indirect
+	github.com/shurcooL/graphql v0.0.0-20200928012149-18c5c3165e3a // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/skeema/knownhosts v1.2.1 // indirect
+	github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect
+	github.com/spdx/tools-golang v0.5.3 // indirect
+	github.com/stretchr/testify v1.9.0 // indirect
+	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/xanzy/go-gitlab v0.101.0 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	golang.org/x/crypto v0.22.0 // indirect
+	golang.org/x/exp v0.0.0-20240314144324-c7f7c6466f7f // indirect
+	golang.org/x/mod v0.16.0 // indirect
+	golang.org/x/net v0.24.0 // indirect
+	golang.org/x/oauth2 v0.18.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/tools v0.19.0 // indirect
+	golang.org/x/vuln v1.0.4 // indirect
+	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
+	google.golang.org/api v0.169.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240311173647-c811ad7063a7 // indirect
+	google.golang.org/grpc v1.62.1 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	gotest.tools/v3 v3.5.1 // indirect
+	mvdan.cc/sh/v3 v3.8.0 // indirect
 )
 
 require (