{"id":46696937,"url":"https://github.com/aljoshare/commala","last_synced_at":"2026-04-02T18:59:59.814Z","repository":{"id":324975307,"uuid":"1056966867","full_name":"aljoshare/commala","owner":"aljoshare","description":"🌹 A commit linter with a lot of rice 🍙","archived":false,"fork":false,"pushed_at":"2026-01-26T12:47:25.000Z","size":5251,"stargazers_count":0,"open_issues_count":3,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-26T21:36:30.381Z","etag":null,"topics":["commit","git","golang","lint"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aljoshare.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-15T05:20:58.000Z","updated_at":"2026-01-26T07:11:19.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/aljoshare/commala","commit_stats":null,"previous_names":["aljoshare/commala"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/aljoshare/commala","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aljoshare%2Fcommala","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aljoshare%2Fcommala/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aljoshare%2Fcommala/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aljoshare%2Fcommala/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aljoshare","download_url":"https://codeload.github.com/aljoshare/commala/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aljoshare%2Fcommala/sbom","scorecard":{"id":1239853,"data":{"date":"2025-11-18T20:27:58Z","repo":{"name":"github.com/aljoshare/commala","commit":"57fbe7ac96ba1d4bcd3f8e017c62b17f6ace6ae9"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":4.4,"checks":[{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: topLevel 'contents' permission set to 'read': .github/workflows/build.yml:7","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/build.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/lint.yml:7","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/lint.yml:8","Warn: topLevel 'contents' permission set to 'write': .github/workflows/post-release.yml:7","Warn: topLevel 'packages' permission set to 'write': .github/workflows/post-release.yml:8","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:7","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:7","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/test.yml:8","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"Maintained","score":0,"reason":"project was created within the last 90 days. Please review its contents carefully","details":["Warn: Repository was created within the last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 0/28 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/aljoshare/commala/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/aljoshare/commala/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/aljoshare/commala/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/aljoshare/commala/lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/aljoshare/commala/lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/aljoshare/commala/lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/aljoshare/commala/lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-release.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/aljoshare/commala/post-release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-release.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/aljoshare/commala/post-release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/post-release.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/aljoshare/commala/post-release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/post-release.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/aljoshare/commala/post-release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/aljoshare/commala/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/aljoshare/commala/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/aljoshare/commala/test.yml/main?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/lint.yml:18","Info:   3 out of  13 GitHub-owned GitHubAction dependencies pinned","Info:   1 out of   5 third-party GitHubAction dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"SAST","score":2,"reason":"SAST tool is not run on all commits -- score normalized to 2","details":["Warn: 2 commits out of 10 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":7,"reason":"3 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2025-4116","Warn: Project is vulnerable to: GHSA-mh29-5h37-fv8m","Warn: Project is vulnerable to: GHSA-29xp-372q-xqph"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build.yml:10"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.2.0 not signed: https://api.github.com/repos/aljoshare/commala/releases/257290390","Warn: release artifact v0.1.0 not signed: https://api.github.com/repos/aljoshare/commala/releases/255602832","Warn: release artifact v0.2.0 does not have provenance: https://api.github.com/repos/aljoshare/commala/releases/257290390","Warn: release artifact v0.1.0 does not have provenance: https://api.github.com/repos/aljoshare/commala/releases/255602832"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"Branch-Protection","score":5,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Warn: 'stale review dismissal' is disabled on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Warn: codeowners review is not required on branch 'main'","Warn: 'last push approval' is disabled on branch 'main'","Warn: no status checks found to merge onto branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"Contributors","score":3,"reason":"project has 1 contributing companies or organizations -- score normalized to 3","details":["Info: found contributions from: hellmann worldwide logistics"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}},{"name":"CI-Tests","score":10,"reason":"9 out of 9 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}}]},"last_synced_at":"2025-11-18T23:21:54.488Z","repository_id":324975307,"created_at":"2025-11-18T23:21:54.492Z","updated_at":"2025-11-18T23:21:54.492Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30283917,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-09T02:57:19.223Z","status":"ssl_error","status_checked_at":"2026-03-09T02:56:26.373Z","response_time":61,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["commit","git","golang","lint"],"created_at":"2026-03-09T05:32:38.419Z","updated_at":"2026-03-09T05:32:38.956Z","avatar_url":"https://github.com/aljoshare.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"![Logo for commala](assets/logo.png)\n\n# commala - A commit linter with a lot of rice\n\n![GitHub Release](https://img.shields.io/github/v/release/aljoshare/commala?style=flat\u0026logo=github\u0026label=release\u0026color=eca13d)\n![GitHub Release Date](https://img.shields.io/github/release-date/aljoshare/commala?display_date=published_at\u0026style=flat\u0026logo=github\u0026label=release%20date\u0026color=eca13d)\n\n![Static Badge](https://img.shields.io/badge/language-grey?logo=go)\n![Static Badge](https://img.shields.io/badge/platform-linux-eca13d?logo=docker)\n![Static Badge](https://img.shields.io/badge/arch-amd64-eca13d?logo=docker)\n![Static Badge](https://img.shields.io/badge/arch-arm64-eca13d?logo=docker)\n[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/aljoshare/commala/badge)](https://scorecard.dev/viewer/?uri=github.com/aljoshare/commala)\n\n\u003e “Go then, there are other commits than these.”  \n\u003e — commala, probably\n\ncommala is a commit linting tool that ensures that certain standards are met before you merge to keep your git history clean and consistent. commala is part of your Ka-tet, when you walk through the Wastelands of software development.\n\n![Example of a commala workflow](assets/commala.gif)\n\n## Validators\n\n- Author Name: Check if the name of the author is set\n- Author Email: Check if the email address of the author is set\n- Branch: Check if the branch follows the [conventional branch specification](https://conventional-branch.github.io/)\n- Message: Check if the commit message follows the [conventional commit specification](https://www.conventionalcommits.org)\n- Sign-off: Check if the commit is signed off\n\n## Getting started\n\nIf you want to use it on Github, try out the [Github Action](https://github.com/aljoshare/commala-action). You can find an example workflow [here](examples/github/example.yml). For Gitlab CI/CD, you can copy [this example](examples/gitlab/.gitlab-ci.yml) and modify it to your needs.\n\n### Configuration\n\nYou can configure commala via `.commala.yml` or command line parameters. By default, commala looks for `.commala.yml` in the current directory or `$HOME/.commala/`. You can specify a custom config file path using the `--config` flag or `COMMALA_CONFIG` environment variable:\n\n```shell\ncommala check HEAD~5 --config=/path/to/custom-config.yml\n```\n\n```yaml\nreport:\n  junit:\n    path: commala-junit.xml # --report-junit-path\nvalidate:\n  author:\n    name:\n      enabled: true # --author-name-enabled\n      whitelist: [] # --author-name-whitelist\n    email:\n      enabled: true # --author-email-enabled\n      whitelist: [] # --author-email-whitelist\n  branch:\n    enabled: true # --branch-enabled\n    whitelist: [] # --branch-whitelist\n  message:\n    enabled: true # --message-enabled\n    whitelist: [] # --message-whitelist\n  signoff:\n    enabled: true # --signoff-enabled\n    whitelist: [] # --signoff-whitelist\n```\n\n### Contributor Whitelists\n\nCommala supports whitelisting specific contributors (by email) to skip validation for their commits. This is useful for automated bot accounts like Dependabot or Renovate that may not follow conventional commit standards.\n\nEach validator can have its own whitelist configured via `.commala.yml`:\n\n```yaml\nvalidate:\n  branch:\n    enabled: true\n    whitelist:\n      - \"dependabot[bot]@users.noreply.github.com\"\n      - \"renovate[bot]@users.noreply.github.com\"\n  message:\n    enabled: true\n    whitelist:\n      - \"dependabot[bot]@users.noreply.github.com\"\n```\n\nOr via CLI flags:\n\n```bash\ncommala check HEAD~5 \\\n  --branch-whitelist=\"dependabot[bot]@users.noreply.github.com\" \\\n  --message-whitelist=\"dependabot[bot]@users.noreply.github.com\"\n```\n\n**How It Works:**\n\n- Commits from whitelisted authors are marked as \"skipped\" during validation\n- Skipped commits are clearly marked in console output (gray color)\n- JUnit reports include `\u003cskipped\u003e` elements for whitelisted commits\n- Skipped commits don't count as failures\n- Whitelist matching uses exact email comparison (case-sensitive)\n\n### CLI\n\nThe commala command is pretty easy. You can run the checks on all commits like this:\n\n```shell\ncommala check\n```\n\nIf you want to check all commits, just pass two dots:\n\n```shell\ncommala check ..\n```\n\nIf you want to specify the commit to start and check until HEAD, just specify the commit hash followed by two dots:\n\n```shell\ncommala check a1b2c3d4e5f67890abcdef1234567890abcdef12..\n```\n\nIf you want to specify the commit to end the check and start from the beginning, just specify the commit hash preceded by two dots:\n\n```shell\ncommala check ..a1b2c3d4e5f67890abcdef1234567890abcdef12\n```\n\nIf you want to specify a commit range, just specify two commit hashes with two dots between them:\n\n```shell\ncommala check f725bf88adb76df5c8c576b514def199e20fc6a0..a1b2c3d4e5f67890abcdef1234567890abcdef12\n```\n\nIf you want to specify a negative index, just use the swung dash notation:\n\n```shell\ncommala check HEAD~3\n```\n\n### Result\n\nTo make it easy to use commala as part of a CI/CD job, it will output the result on the command line but also writes the result in JUnit XML format, so that it can be picked up by the source code versioning system of your choice. If one of the checks fails, commala will exit with a non-zero status.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faljoshare%2Fcommala","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faljoshare%2Fcommala","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faljoshare%2Fcommala/lists"}