{"id":21144750,"url":"https://github.com/rogeruiz/repasar","last_synced_at":"2026-05-18T07:35:09.226Z","repository":{"id":65161534,"uuid":"576769063","full_name":"rogeruiz/repasar","owner":"rogeruiz","description":"A GitHub Action to run git-verify-commit on latest SHA on push","archived":false,"fork":false,"pushed_at":"2025-11-12T23:24:55.000Z","size":120,"stargazers_count":1,"open_issues_count":4,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-16T07:02:47.344Z","etag":null,"topics":["github-actions","github-actions-ci","gpg-signatures","security"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rogeruiz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-12-10T23:07:06.000Z","updated_at":"2025-11-12T23:24:59.000Z","dependencies_parsed_at":"2023-02-08T20:47:08.680Z","dependency_job_id":null,"html_url":"https://github.com/rogeruiz/repasar","commit_stats":{"total_commits":9,"total_committers":1,"mean_commits":9.0,"dds":0.0,"last_synced_commit":"50291839e3aa36a40fc46105ab06066dec1ae556"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/rogeruiz/repasar","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rogeruiz%2Frepasar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rogeruiz%2Frepasar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rogeruiz%2Frepasar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rogeruiz%2Frepasar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rogeruiz","download_url":"https://codeload.github.com/rogeruiz/repasar/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rogeruiz%2Frepasar/sbom","scorecard":{"id":782786,"data":{"date":"2025-08-11","repo":{"name":"github.com/rogeruiz/repasar","commit":"50291839e3aa36a40fc46105ab06066dec1ae556"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.8,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":0,"reason":"Found 0/9 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/verify-commits.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: GNU Affero General Public License v3.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/verify-commits.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/rogeruiz/repasar/verify-commits.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/verify-commits.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/rogeruiz/repasar/verify-commits.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating alpine:latest to alpine:latest@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","Info:   0 out of   1 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}}]},"last_synced_at":"2025-08-23T05:18:04.684Z","repository_id":65161534,"created_at":"2025-08-23T05:18:04.684Z","updated_at":"2025-08-23T05:18:04.684Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33093666,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-16T04:41:52.686Z","status":"ssl_error","status_checked_at":"2026-05-16T04:41:52.009Z","response_time":115,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","github-actions-ci","gpg-signatures","security"],"created_at":"2024-11-20T08:22:01.790Z","updated_at":"2026-05-18T07:35:09.222Z","avatar_url":"https://github.com/rogeruiz.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"![The Repasar GitHub repository social image](./.github/repo-social.jpg)\n\n# Repasar\n\nThe Repasar GitHub Action (GHA) checks the commit signatures for security. It\nnow supports verifying **all commits in a pull request (PR)**, not just the\nlatest commit. For push events, it continues to verify the latest commit as\nbefore.\n\n- For PRs: All commits in the PR are checked for verified signatures.\n- For pushes: Only the latest commit is checked.\n\n## Setup\n\nCopy the text below into a file in your repository called\n`.github/workflows/verified_commits_check.yml` then just commit and push it to\nyour default branch.\n\n```yaml\n# .github/workflows/verify-commits.yml\nname: Verifying the latest commit\nrun-name: ${{ github.actor }} is verifying the validity of current commit\non: [push]\njobs:\n  check-sha:\n    runs-on: ubuntu-latest\n    name: Check the SHA of the latest commit\n    steps:\n      - name: Checkout the code\n        uses: actions/checkout@v5\n      - name: Run repasar on the latest SHA\n        uses: rogeruiz/repasar@v1.1.3\n        with:\n          allowed-signers-file-path: ./.github/allowed_signers\n          fail-on-unverified: true\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n```\n\n## Required inputs\n\nThe only required input is the `allowed-signers-file-path` which is recommended\nto be resolved to `./.github/allowed_signers`. This file contains the public SSH\nkeys in the following format per-line.\n\n```sh\n\u003cemail\u003e[,\u003cemail\u003e...] \u003ckey type\u003e \u003cpublic key\u003e\n```\n\n\u003e [!IMPORTANT]\n\u003e This file can be created manually by taking the public key file you have\n\u003e locally and rearranging the comment email at the end to the beginning.\n\u003e Remember to add only the emails you'd like to allow for verification purposes.\n\n## Optional inputs\n\nBy default, this Action does not fail the run if the verification of the commit\nis unsuccessful. If you would like to have the Action fail, then set the\n`fail-on-unverified` to `true` in the `workflows/` Yaml file.\n\n## Environment variables the action uses\n\n- `${GITHUB_SHA}`: Used for single commit verification (push events).\n- `${GITHUB_EVENT_NAME}` and `${GITHUB_EVENT_PATH}`: Used to detect PR context\n  and extract PR number.\n- `${GITHUB_TOKEN}`: **Required for PR verification** to fetch all commits in\n  the PR using the GitHub API.\n\n**Note:** For PRs, ensure the workflow has access to `GITHUB_TOKEN` (default in\nGitHub Actions) and that the token has `repo` scope for private repositories.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frogeruiz%2Frepasar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frogeruiz%2Frepasar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frogeruiz%2Frepasar/lists"}