scorecard/CONTRIBUTING.md

# Contributing to Security Scorecards

Thank you for contributing your time and expertise to the Security Scorecards project.
This document describes the contribution guidelines for the project.

**Note:** Before you start contributing, you must read and abide by our **[Code of Conduct](./CODE_OF_CONDUCT.md)**.

## Contributing code

### Getting started

1. Create [a GitHub account](https://github.com/join)
1. Create a [personal access token](https://docs.github.com/en/free-pro-team@latest/developers/apps/about-apps#personal-access-tokens)
1. Set up your [development environment](#environment-setup)

### Environment Setup

You must install these tools:

1. [`git`](https://help.github.com/articles/set-up-git/): For source control

1. [`go`](https://golang.org/doc/install): You need go version [v1.15](https://golang.org/dl/) or higher.

1. [`docker`](https://docs.docker.com/engine/install/): `v18.9` or higher.

## Contributing steps

1. Submit an issue describing your proposed change to the repo in question.
1. The repo owners will respond to your issue promptly.
1. Fork the desired repo, develop and test your code changes.
1. Submit a pull request.

## How to build scorecard locally

Note that, by building the scorecard from the source code we are allowed to test the changes made locally.

1. Run the following command to clone your fork of the project locally

```shell
git clone git@github.com:<user>/scorecard.git $GOPATH/src/github.com/<user>/scorecard.git
```

1. Ensure you activate module support before continue (`$ export GO111MODULE=on`)
1. Run the command `make build` to build the source code

## What to do before submitting a pull request

Following the targets that can be used to test your changes locally.

| Command    | Description                                         | Is called in the CI? |
| ---------- | --------------------------------------------------- | -------------------- |
| make all   | Runs go test,golangci lint checks, fmt, go mod tidy | yes                  |
| make build | Runs go build                                       | yes                  |

## Permission for GitHub personal access tokens

The personal access token need the following scopes:

- `repo:status` - Access commit status
- `repo_deployment` - Access deployment status
- `public_repo` - Access public repositories

## Where the CI Tests are configured

1. See the [action files](.github/workflows) to check its tests, and the scripts used on it.

## Adding New Checks

Each check is currently just a function of type `CheckFn`.
The signature is:

```golang
type CheckFn func(c.Checker) CheckResult
```

Checks are registered in an init function:

```golang
	AllChecks = append(AllChecks, NamedCheck{
		Name: "Code-Review",
		Fn:   DoesCodeReview,
	})
```

Currently only one set of checks can be run.
In the future, we'll allow declaring multiple suites and configuring which checks get run.
feature - Update the CONTRIBUTING guidelines * Updated the contributing guidelines with Environment Setup, Contributing steps, How to build scorecard locally, What to do before submitting a pull request and Where the CI Tests are configured. Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> 2021-01-04 20:09:21 +03:00			`# Contributing to Security Scorecards`
Initial commit. 2020-10-09 17:47:59 +03:00
Add license header and code of conduct files. (#34) * Add license header and code of conduct files. * Fill missing field. 2020-10-26 23:22:13 +03:00			`Thank you for contributing your time and expertise to the Security Scorecards project.`
Initial commit. 2020-10-09 17:47:59 +03:00			`This document describes the contribution guidelines for the project.`

Add license header and code of conduct files. (#34) * Add license header and code of conduct files. * Fill missing field. 2020-10-26 23:22:13 +03:00			`Note: Before you start contributing, you must read and abide by our [Code of Conduct](./CODE_OF_CONDUCT.md).`
Initial commit. 2020-10-09 17:47:59 +03:00
			`## Contributing code`

			`### Getting started`

feature - Update the CONTRIBUTING guidelines * Updated the contributing guidelines with Environment Setup, Contributing steps, How to build scorecard locally, What to do before submitting a pull request and Where the CI Tests are configured. Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> 2021-01-04 20:09:21 +03:00			`1. Create [a GitHub account](https://github.com/join)`
			`1. Create a [personal access token](https://docs.github.com/en/free-pro-team@latest/developers/apps/about-apps#personal-access-tokens)`
			`1. Set up your [development environment](#environment-setup)`
Initial commit. 2020-10-09 17:47:59 +03:00
Add license header and code of conduct files. (#34) * Add license header and code of conduct files. * Fill missing field. 2020-10-26 23:22:13 +03:00			`### Environment Setup`
Initial commit. 2020-10-09 17:47:59 +03:00
			`You must install these tools:`

feature - Update the CONTRIBUTING guidelines * Updated the contributing guidelines with Environment Setup, Contributing steps, How to build scorecard locally, What to do before submitting a pull request and Where the CI Tests are configured. Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> 2021-01-04 20:09:21 +03:00			1. [`git`](https://help.github.com/articles/set-up-git/): For source control
Initial commit. 2020-10-09 17:47:59 +03:00
feature - Update the CONTRIBUTING guidelines * Updated the contributing guidelines with Environment Setup, Contributing steps, How to build scorecard locally, What to do before submitting a pull request and Where the CI Tests are configured. Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> 2021-01-04 20:09:21 +03:00			1. [`go`](https://golang.org/doc/install): You need go version [v1.15](https://golang.org/dl/) or higher.
Initial commit. 2020-10-09 17:47:59 +03:00
feature - Update the CONTRIBUTING guidelines * Updated the contributing guidelines with Environment Setup, Contributing steps, How to build scorecard locally, What to do before submitting a pull request and Where the CI Tests are configured. Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> 2021-01-04 20:09:21 +03:00			1. [`docker`](https://docs.docker.com/engine/install/): `v18.9` or higher.
Initial commit. 2020-10-09 17:47:59 +03:00
feature - Update the CONTRIBUTING guidelines * Updated the contributing guidelines with Environment Setup, Contributing steps, How to build scorecard locally, What to do before submitting a pull request and Where the CI Tests are configured. Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> 2021-01-04 20:09:21 +03:00			`## Contributing steps`
Initial commit. 2020-10-09 17:47:59 +03:00
feature - Update the CONTRIBUTING guidelines * Updated the contributing guidelines with Environment Setup, Contributing steps, How to build scorecard locally, What to do before submitting a pull request and Where the CI Tests are configured. Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> 2021-01-04 20:09:21 +03:00			`1. Submit an issue describing your proposed change to the repo in question.`
			`1. The repo owners will respond to your issue promptly.`
			`1. Fork the desired repo, develop and test your code changes.`
			`1. Submit a pull request.`
Initial commit. 2020-10-09 17:47:59 +03:00
feature - Update the CONTRIBUTING guidelines * Updated the contributing guidelines with Environment Setup, Contributing steps, How to build scorecard locally, What to do before submitting a pull request and Where the CI Tests are configured. Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> 2021-01-04 20:09:21 +03:00			`## How to build scorecard locally`
Initial commit. 2020-10-09 17:47:59 +03:00
feature - Update the CONTRIBUTING guidelines * Updated the contributing guidelines with Environment Setup, Contributing steps, How to build scorecard locally, What to do before submitting a pull request and Where the CI Tests are configured. Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> 2021-01-04 20:09:21 +03:00			`Note that, by building the scorecard from the source code we are allowed to test the changes made locally.`
Initial commit. 2020-10-09 17:47:59 +03:00
feature - Update the CONTRIBUTING guidelines * Updated the contributing guidelines with Environment Setup, Contributing steps, How to build scorecard locally, What to do before submitting a pull request and Where the CI Tests are configured. Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> 2021-01-04 20:09:21 +03:00			`1. Run the following command to clone your fork of the project locally`
Initial commit. 2020-10-09 17:47:59 +03:00
			```shell
feature - Update the CONTRIBUTING guidelines * Updated the contributing guidelines with Environment Setup, Contributing steps, How to build scorecard locally, What to do before submitting a pull request and Where the CI Tests are configured. Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> 2021-01-04 20:09:21 +03:00			`git clone git@github.com:<user>/scorecard.git $GOPATH/src/github.com/<user>/scorecard.git`
Initial commit. 2020-10-09 17:47:59 +03:00			```

feature - Update the CONTRIBUTING guidelines * Updated the contributing guidelines with Environment Setup, Contributing steps, How to build scorecard locally, What to do before submitting a pull request and Where the CI Tests are configured. Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> 2021-01-04 20:09:21 +03:00			1. Ensure you activate module support before continue (`$ export GO111MODULE=on`)
			1. Run the command `make build` to build the source code

			`## What to do before submitting a pull request`

			`Following the targets that can be used to test your changes locally.`

			`\| Command \| Description \| Is called in the CI? \|`
			`\| ---------- \| --------------------------------------------------- \| -------------------- \|`
			`\| make all \| Runs go test,golangci lint checks, fmt, go mod tidy \| yes \|`
			`\| make build \| Runs go build \| yes \|`

feature - Included the e2e into the PR workflows Validated the presence of the GITHU_AUTH_TOKEN variable presence before running the e2e. Update the contributing doc with scopes of the personal access token. Updated the workflow to include the e2e tests. 2021-01-08 22:09:06 +03:00			`## Permission for GitHub personal access tokens`

			`The personal access token need the following scopes:`

			- `repo:status` - Access commit status
			- `repo_deployment` - Access deployment status
			- `public_repo` - Access public repositories

feature - Update the CONTRIBUTING guidelines * Updated the contributing guidelines with Environment Setup, Contributing steps, How to build scorecard locally, What to do before submitting a pull request and Where the CI Tests are configured. Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> 2021-01-04 20:09:21 +03:00			`## Where the CI Tests are configured`

			`1. See the [action files](.github/workflows) to check its tests, and the scripts used on it.`

Initial commit. 2020-10-09 17:47:59 +03:00			`## Adding New Checks`

			Each check is currently just a function of type `CheckFn`.
			`The signature is:`

			```golang
Add better logging. 2020-10-13 19:29:29 +03:00			`type CheckFn func(c.Checker) CheckResult`
Initial commit. 2020-10-09 17:47:59 +03:00			```

			`Checks are registered in an init function:`

			```golang
			`AllChecks = append(AllChecks, NamedCheck{`
			`Name: "Code-Review",`
			`Fn: DoesCodeReview,`
			`})`
			```

			`Currently only one set of checks can be run.`
			`In the future, we'll allow declaring multiple suites and configuring which checks get run.`