🌱 add support for hadolint SAST

[AdamKorcz]

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

feature

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

Scorecard does not support hadolint SAST.

What is the new behavior (if this is a feature change)?**

Scorecard supports hadolint SAST.

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Partially fixes #2318 (comment)

Special notes for your reviewer

Does this PR introduce a user-facing change?

Support Hadolint SAST.

[codecov]

Codecov Report

Attention: Patch coverage is 50.00000% with 3 lines in your changes missing coverage. Please review.

Project coverage is 68.29%. Comparing base (353ed60) to head (7846164).
Report is 199 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4688      +/-   ##
==========================================
+ Coverage   66.80%   68.29%   +1.48%     
==========================================
  Files         230      249      +19     
  Lines       16602    18904    +2302     
==========================================
+ Hits        11091    12910    +1819     
- Misses       4808     5133     +325     
- Partials      703      861     +158     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[spencerschrock]

was there a driver behind redefining this in every test instead of once?

[AdamKorcz]

yes, I added a new test that needs another searchRequest.

[spencerschrock]

All of the duplication caught my eye initially, but I don't think it's not necessary anymore.
When the test was written 4 years ago, the SAST implementation actually used the search interface.

scorecard/checks/sast.go

Lines 170 to 176 in e5a08af

	// nolint
	func codeQLInCheckDefinitions(c *checker.CheckRequest) (int, error) {
	searchRequest := clients.SearchRequest{
	Query: "github/codeql-action/analyze",
	Path: "/.github/workflows",
	}
	resp, err := c.RepoClient.Search(searchRequest)

Where as today's implementation uses getSastUsesWorkflows

scorecard/checks/raw/sast.go

Lines 60 to 63 in 344a155

	codeQLWorkflows, err := getSastUsesWorkflows(c, "^github/codeql-action/analyze$", checker.CodeQLWorkflow)
	if err != nil {
	return data, err
	}

which searches the files locally

scorecard/checks/raw/sast.go

Lines 169 to 172 in 344a155

	err := fileparser.OnMatchingFileContentDo(c.RepoClient, fileparser.PathMatcher{
	Pattern: ".github/workflows/*",
	CaseSensitive: false,
	}, searchGitHubActionWorkflowUseRegex, &workflowPaths, usesRegex)

If you uncomment the mock line, nothing panics/breaks, so I say we just get rid of it all the search requests/responses in this test

// mockRepoClient.EXPECT().Search(tt.searchRequest).Return(tt.searchresult, nil).AnyTimes()

[AdamKorcz]

I am happy to do that, but let me clean up this test in a separate PR to not mix things together? I have reverted my changes in this PR.

[spencerschrock]

lgtm other than the few comments

[github-actions]

This pull request has been marked stale because it has been open for 10 days with no activity