mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-17 11:57:12 +03:00
Update documentation (#583)
Co-authored-by: Azeem Shaikh <azeems@google.com>
This commit is contained in:
parent
bf4db8577b
commit
96ea5577d1
337
README.md
337
README.md
@ -8,66 +8,66 @@
|
||||
|
||||
<!-- vim-markdown-toc GFM -->
|
||||
|
||||
* [Motivation](#motivation)
|
||||
* [Goals](#goals)
|
||||
* [Public Data](#public-data)
|
||||
* [Usage](#usage)
|
||||
* [Package manager support](#package-manager-support)
|
||||
* [Docker](#docker)
|
||||
* [Caching](#caching)
|
||||
* [Blob Cache](#blob-cache)
|
||||
* [Disk Cache](#disk-cache)
|
||||
* [Gitcache](#gitcache)
|
||||
* [In the initial run](#in-the-initial-run)
|
||||
* [On the subsequent runs](#on-the-subsequent-runs)
|
||||
* [Authentication](#authentication)
|
||||
* [GITHUB_AUTH_TOKEN](#github_auth_token)
|
||||
* [Checks](#checks)
|
||||
* [Results](#results)
|
||||
* [Running specific checks](#running-specific-checks)
|
||||
* [Formatting Results](#formatting-results)
|
||||
* [Requirements](#requirements)
|
||||
* [Troubleshooting](#troubleshooting)
|
||||
* [Supportability](#supportability)
|
||||
* [Contributing](#contributing)
|
||||
* [Community Meetings](#community-meetings)
|
||||
* [Motivation](#motivation)
|
||||
* [Goals](#goals)
|
||||
* [Scorecard Checks](#scorecard-checks)
|
||||
* [Usage](#usage)
|
||||
* [Using repository URL](#using-repository-url)
|
||||
* [Using a package manager](#using-a-package-manager)
|
||||
* [Running specific checks](#running-specific-checks)
|
||||
* [Authentication](#authentication)
|
||||
* [Understanding Scorecard results](#understanding-scorecard-results)
|
||||
* [Formatting Results](#formatting-results)
|
||||
* [Public Data](#public-data)
|
||||
* [Adding a Scorecard Check](#adding-a-scorecard-check)
|
||||
* [Troubleshooting](#troubleshooting)
|
||||
* [Supportability](#supportability)
|
||||
* [Contributing](#contributing)
|
||||
|
||||
<!-- vim-markdown-toc -->
|
||||
|
||||
## Motivation
|
||||
|
||||
A short motivational video clip to inspire us: https://youtu.be/rDMMYT3vkTk "You passed! All D's ... and an A!"
|
||||
A short motivational video clip to inspire us: https://youtu.be/rDMMYT3vkTk "You
|
||||
passed! All D's ... and an A!"
|
||||
|
||||
## Goals
|
||||
|
||||
1. Automate analysis and trust decisions on the security posture of open source projects.
|
||||
1. Automate analysis and trust decisions on the security posture of open source
|
||||
projects.
|
||||
|
||||
1. Use this data to proactively improve the security posture of the critical projects the world depends on.
|
||||
1. Use this data to proactively improve the security posture of the critical
|
||||
projects the world depends on.
|
||||
|
||||
## Public Data
|
||||
## Scorecard Checks
|
||||
|
||||
If you're only interested in seeing the results over time, we run this program nightly and publish the results in
|
||||
`json` format.
|
||||
The following checks are all run against the target project by default:
|
||||
|
||||
This data is available on Google Cloud Storage and can be downloaded via the
|
||||
[`gsutil`](https://cloud.google.com/storage/docs/gsutil_install)
|
||||
command-line tool.
|
||||
Name | Description
|
||||
------------------ | -----------
|
||||
Security-Policy | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)?
|
||||
Contributors | Does the project have contributors from at least two different organizations?
|
||||
Frozen-Deps | Does the project declare and freeze [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)?
|
||||
Signed-Releases | Does the project cryptographically [sign releases](https://wiki.debian.org/Creating%20signed%20GitHub%20releases)?
|
||||
Signed-Tags | Does the project cryptographically sign release tags?
|
||||
CI-Tests | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)?
|
||||
Code-Review | Does the project require code review before code is merged?
|
||||
CII-Best-Practices | Does the project have a [CII Best Practices Badge](https://bestpractices.coreinfrastructure.org/en)?
|
||||
Pull-Requests | Does the project use [Pull Requests](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/about-pull-requests) for all code changes?
|
||||
Fuzzing | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz)?
|
||||
SAST | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [SonarCloud](https://sonarcloud.io)?
|
||||
Active | Did the project get any commits in the last 90 days?
|
||||
Branch-Protection | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches) ?
|
||||
Packaging | Does the project build and publish official packages from CI/CD, e.g. [GitHub Publishing](https://docs.github.com/en/free-pro-team@latest/actions/guides/about-packaging-with-github-actions#workflows-for-publishing-packages) ?
|
||||
|
||||
```shell
|
||||
$ gsutil ls gs://ossf-scorecards/
|
||||
gs://ossf-scorecards/11-11-2020.json
|
||||
...
|
||||
```
|
||||
|
||||
The latest results are also always available at https://storage.googleapis.com/ossf-scorecards/latest.json
|
||||
|
||||
The list of projects that are checked each night is available in the
|
||||
[`cron/data/projects.csv`](https://github.com/ossf/scorecard/blob/main/cron/data/projects.csv)
|
||||
file in this repository. If you would like us to track more, please feel free to
|
||||
send a Pull Request with others.
|
||||
To see detailed information about each check and remediation steps, check out
|
||||
the [checks documentation page](checks/checks.md).
|
||||
|
||||
## Usage
|
||||
|
||||
The program only requires one argument to run, the name of the repo:
|
||||
### Using repository URL
|
||||
|
||||
The program can run using just one argument, the URL of the repo:
|
||||
|
||||
```shell
|
||||
$ go build
|
||||
@ -119,7 +119,7 @@ Signed-Releases: Fail 10
|
||||
Signed-Tags: Fail 10
|
||||
```
|
||||
|
||||
### Package manager support
|
||||
### Using a Package manager
|
||||
|
||||
scorecard has an option to provide either `--npm` / `--pypi` / `--rubygems`
|
||||
package name and it would run the checks on the corresponding GitHub source
|
||||
@ -127,7 +127,7 @@ code.
|
||||
|
||||
For example:
|
||||
|
||||
``` shell
|
||||
```shell
|
||||
./scorecard --npm=angular
|
||||
Starting [Active]
|
||||
Starting [Branch-Protection]
|
||||
@ -176,68 +176,22 @@ Signed-Releases: Fail 0
|
||||
Signed-Tags: Fail 10
|
||||
```
|
||||
|
||||
### Docker
|
||||
### Running specific checks
|
||||
|
||||
`scorecard` is available as a Docker container:
|
||||
To use a particular check(s), add the `--checks` argument with a list of check
|
||||
names.
|
||||
|
||||
The `GITHUB_AUTH_TOKEN` has to be set to a valid [token](#github_auth_token)
|
||||
|
||||
``` shell
|
||||
docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:latest --show-details --repo=https://github.com/ossf/scorecard
|
||||
```
|
||||
|
||||
### Caching
|
||||
|
||||
Scorecard uses `httpcache` with <https://docs.github.com/en/rest/overview/resources-in-the-rest-api#conditional-requests> for caching httpresponse. The default cache is in-memory.
|
||||
|
||||
Some details on caching <https://github.com/ossf/scorecard/issues/80#issuecomment-782723182>
|
||||
|
||||
#### Blob Cache
|
||||
|
||||
Scorecard results can be cached into a blob for increasing throughput for subsequent runs.
|
||||
|
||||
To use blob cache two env variables have to be set `USE_BLOB_CACHE=true` and `BLOB_URL=gs://scorecards-cache/`.
|
||||
|
||||
The code uses <https://github.com/google/go-cloud> for blob caching. It is compatible with GCS,S3 and Azure blob.
|
||||
|
||||
#### Disk Cache
|
||||
|
||||
Scorecard results can be cached into a disk for increasing throughput for subsequent runs.
|
||||
|
||||
To use disk cache two env variables have to be set `USE_DISK_CACHE=true` and `DISK_CACHE_PATH=./cache`.
|
||||
|
||||
There is no TTL on cache.
|
||||
|
||||
The default cache size is 10GB.
|
||||
|
||||
### Gitcache
|
||||
|
||||
Gitcache reduces the GitHub API usage by cloning the Git repository without authentication and checking for updates.
|
||||
|
||||
#### In the initial run
|
||||
- Clone the repository anonymously (not using GitHub API token).
|
||||
- Tarball and compress it.
|
||||
- Store the compressed file into a blob store GCS.
|
||||
- Store the last commit date within the blob.
|
||||
- Also compress the folder without .git for the consumers.
|
||||
|
||||
#### On the subsequent runs
|
||||
- pull gzip from GCS
|
||||
- unzip git repo
|
||||
- git pull origin
|
||||
- update metadata (last sync, etc.)
|
||||
- gzip, reupload to GCS
|
||||
|
||||
[gitcache](gitcache/README.md) documentation for more details.
|
||||
For example, `--checks=CI-Tests,Code-Review`.
|
||||
|
||||
### Authentication
|
||||
|
||||
Before running Scorecard, you need to
|
||||
[create a GitHub access token](https://docs.github.com/en/free-pro-team@latest/developers/apps/about-apps#personal-access-tokens)
|
||||
and set it in environment variable `GITHUB_AUTH_TOKEN`.
|
||||
This helps to avoid the GitHub's
|
||||
[api rate limits](https://developer.github.com/v3/#rate-limiting)
|
||||
with unauthenticated requests.
|
||||
Before running Scorecard, you need to, either:
|
||||
|
||||
- [create a GitHub access token](https://docs.github.com/en/free-pro-team@latest/developers/apps/about-apps#personal-access-tokens)
|
||||
and set it in environment variable `GITHUB_AUTH_TOKEN`. This helps to avoid
|
||||
the GitHub's
|
||||
[api rate limits](https://developer.github.com/v3/#rate-limiting) with
|
||||
unauthenticated requests.
|
||||
|
||||
```shell
|
||||
# For posix platforms, e.g. linux, mac:
|
||||
@ -247,14 +201,12 @@ export GITHUB_AUTH_TOKEN=<your access token>
|
||||
set GITHUB_AUTH_TOKEN=<your access token>
|
||||
```
|
||||
|
||||
#### GITHUB_AUTH_TOKEN
|
||||
Multiple `GITHUB_AUTH_TOKEN` can be provided separated by comma to be utilized
|
||||
in a round robin fashion.
|
||||
|
||||
Multiple `GITHUB_AUTH_TOKEN` can be provided separated by comma to be utilized in a round robin fashion.
|
||||
|
||||
As an alternative to personal access tokens, we also support GitHub App Installations
|
||||
for higher rate-limit quotas.
|
||||
If you have an installed GitHub App and key file, you can use these three environment
|
||||
variables, following the commands shown above for your platform.
|
||||
- create a GitHub App Installations for higher rate-limit quotas. If you have
|
||||
an installed GitHub App and key file, you can use these three environment
|
||||
variables, following the commands shown above for your platform.
|
||||
|
||||
```
|
||||
GITHUB_APP_KEY_PATH=<path to the key file on disk>
|
||||
@ -262,97 +214,116 @@ GITHUB_APP_INSTALLATION_ID=<installation id>
|
||||
GITHUB_APP_ID=<app id>
|
||||
```
|
||||
|
||||
These can be obtained from the GitHub [developer settings](https://github.com/settings/apps) page.
|
||||
These can be obtained from the GitHub
|
||||
[developer settings](https://github.com/settings/apps) page.
|
||||
|
||||
## Checks
|
||||
### Understanding Scorecard results
|
||||
|
||||
The following checks are all run against the target project:
|
||||
|
||||
| Name | Description |
|
||||
| ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Security-Policy | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)? |
|
||||
| Contributors | Does the project have contributors from at least two different organizations? |
|
||||
| Frozen-Deps | Does the project declare and freeze [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)? |
|
||||
| Signed-Releases | Does the project cryptographically [sign releases](https://wiki.debian.org/Creating%20signed%20GitHub%20releases)? |
|
||||
| Signed-Tags | Does the project cryptographically sign release tags? |
|
||||
| CI-Tests | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)? |
|
||||
| Code-Review | Does the project require code review before code is merged? |
|
||||
| CII-Best-Practices | Does the project have a [CII Best Practices Badge](https://bestpractices.coreinfrastructure.org/en)? |
|
||||
| Pull-Requests | Does the project use [Pull Requests](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/about-pull-requests) for all code changes? |
|
||||
| Fuzzing | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz)? |
|
||||
| SAST | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [SonarCloud](https://sonarcloud.io)? |
|
||||
| Active | Did the project get any commits in the last 90 days? |
|
||||
| Branch-Protection | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches) ? |
|
||||
| Packaging | Does the project build and publish official packages from CI/CD, e.g. [GitHub Publishing](https://docs.github.com/en/free-pro-team@latest/actions/guides/about-packaging-with-github-actions#workflows-for-publishing-packages) ? |
|
||||
|
||||
To see detailed information about each check and remediation steps,
|
||||
check out the [checks documentation page](checks/checks.md).
|
||||
|
||||
If you'd like to add a check, make sure it is something that meets the following criteria:
|
||||
|
||||
- automate-able
|
||||
- objective
|
||||
- actionable
|
||||
|
||||
and then create a new GitHub Issue.
|
||||
|
||||
## Results
|
||||
|
||||
Each check returns a **Pass / Fail** decision, as well as a confidence score between **0 and 10**.
|
||||
A confidence of 0 should indicate the check was unable to achieve any real signal, and the result
|
||||
should be ignored.
|
||||
A confidence of 10 indicates the check is completely sure of the result.
|
||||
|
||||
Many of the checks are based on heuristics, contributions are welcome to improve the detection!
|
||||
|
||||
### Running specific checks
|
||||
|
||||
To use a particular check(s), add the `--checks` argument with a list of check
|
||||
names.
|
||||
|
||||
For example, `--checks=CI-Tests,Code-Review`.
|
||||
Each check returns a **Pass / Fail** decision, as well as a confidence score
|
||||
between **0 and 10**. A confidence of 0 should indicate the check was unable to
|
||||
achieve any real signal, and the result should be ignored. A confidence of 10
|
||||
indicates the check is completely sure of the result.
|
||||
|
||||
### Formatting Results
|
||||
|
||||
There are three formats currently: `default`, `json`, and `csv`. Others may be added in the future.
|
||||
There are three formats currently: `default`, `json`, and `csv`. Others may be
|
||||
added in the future.
|
||||
|
||||
These may be specified with the `--format` flag.
|
||||
|
||||
## Requirements
|
||||
## Public Data
|
||||
|
||||
- The scorecard must only be composed of automate-able, objective data. For example, a project having 10 contributors doesn’t necessarily mean it’s more secure than a project with say 50 contributors. But, having two maintainers might be preferable to only having one - the larger bus factor and ability to provide code reviews is objectively better.
|
||||
- The scorecard criteria can be as specific as possible and not limited general recommendations. For example, for Go, we can recommend/require specific linters and analyzers to be run on the codebase.
|
||||
- The scorecard can be populated for any open source project without any work or interaction from maintainers.
|
||||
- Maintainers must be provided with a mechanism to correct any automated scorecard findings they feel were made in error, provide "hints" for anything we can't detect automatically, and even dispute the applicability of a given scorecard finding for that repository.
|
||||
- Any criteria in the scorecard must be actionable. It should be possible, with help, for any project to "check all the boxes".
|
||||
- Any solution to compile a scorecard should be usable by the greater open source community to monitor upstream security.
|
||||
If you're only interested in seeing a list of projects with their Scorecard
|
||||
check results, we publish these results in a
|
||||
[BigQuery public dataset](https://cloud.google.com/bigquery/public-data).
|
||||
|
||||
This data is available in the public BigQuery dataset
|
||||
`openssf:scorecardcron.scorecard`. The latest results are available in the
|
||||
BigQuery view `openssf:scorecardcron.scorecard_latest`.
|
||||
|
||||
You can extract the latest results to Google Cloud storage in JSON format using
|
||||
the [`bq`](https://cloud.google.com/bigquery/docs/bq-command-line-tool) tool:
|
||||
|
||||
```
|
||||
# Get the latest PARTITION_ID
|
||||
bq query --nouse_legacy_sql 'SELECT partition_id FROM
|
||||
openssf.scorecardcron.INFORMATION_SCHEMA.PARTITIONS ORDER BY partition_id DESC
|
||||
LIMIT 1'
|
||||
|
||||
# Extract to GCS
|
||||
bq extract --destination_format=NEWLINE_DELIMITED_JSON
|
||||
'openssf:scorecardcron.scorecard$<partition_id>' gs://bucket-name/filename.json
|
||||
|
||||
```
|
||||
|
||||
The list of projects that are checked is available in the
|
||||
[`cron/data/projects.csv`](https://github.com/ossf/scorecard/blob/main/cron/data/projects.csv)
|
||||
file in this repository. If you would like us to track more, please feel free to
|
||||
send a Pull Request with others.
|
||||
|
||||
**NOTE**: Currently, these lists are derived from **projects hosted on GitHub
|
||||
ONLY**. We do plan to expand them in near future to account for projects hosted
|
||||
on other source control systems.
|
||||
|
||||
## Adding a Scorecard Check
|
||||
|
||||
If you'd like to add a check, make sure it is something that meets the following
|
||||
criteria and then create a new GitHub Issue:
|
||||
|
||||
- The scorecard must only be composed of automate-able, objective data. For
|
||||
example, a project having 10 contributors doesn’t necessarily mean it’s more
|
||||
secure than a project with say 50 contributors. But, having two maintainers
|
||||
might be preferable to only having one - the larger bus factor and ability
|
||||
to provide code reviews is objectively better.
|
||||
- The scorecard criteria can be as specific as possible and not limited
|
||||
general recommendations. For example, for Go, we can recommend/require
|
||||
specific linters and analyzers to be run on the codebase.
|
||||
- The scorecard can be populated for any open source project without any work
|
||||
or interaction from maintainers.
|
||||
- Maintainers must be provided with a mechanism to correct any automated
|
||||
scorecard findings they feel were made in error, provide "hints" for
|
||||
anything we can't detect automatically, and even dispute the applicability
|
||||
of a given scorecard finding for that repository.
|
||||
- Any criteria in the scorecard must be actionable. It should be possible,
|
||||
with help, for any project to "check all the boxes".
|
||||
- Any solution to compile a scorecard should be usable by the greater open
|
||||
source community to monitor upstream security.
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
- ### Bugs and Feature Requests:
|
||||
If you have what looks like a bug, or you would like to make a feature request, please use the [Github issue tracking system.](https://github.com/ossf/scorecard/issues)
|
||||
Before you file an issue, please search existing issues to see if your issue is already covered.
|
||||
- ### Bugs and Feature Requests:
|
||||
|
||||
If you have what looks like a bug, or you would like to make a feature
|
||||
request, please use the
|
||||
[Github issue tracking system.](https://github.com/ossf/scorecard/issues)
|
||||
Before you file an issue, please search existing issues to see if your issue
|
||||
is already covered.
|
||||
|
||||
- ### Slack
|
||||
For realtime discussion, you can join the [#security_scorecards](https://slack.openssf.org/#security_scorecards) slack channel. Slack requires registration, but the openssf team is open invitation to anyone to register here. Feel free to come and ask any questions.
|
||||
- ### Slack
|
||||
|
||||
For realtime discussion, you can join the
|
||||
[#security_scorecards](https://slack.openssf.org/#security_scorecards) slack
|
||||
channel. Slack requires registration, but the openssf team is open
|
||||
invitation to anyone to register here. Feel free to come and ask any
|
||||
questions.
|
||||
|
||||
## Supportability
|
||||
|
||||
Currently, scorecard officially supports OSX and Linux platforms. So, if you are using a Windows OS you may find issues. Contributions towards supporting Windows are welcome.
|
||||
Currently, scorecard officially supports OSX and Linux platforms. So, if you are
|
||||
using a Windows OS you may find issues. Contributions towards supporting Windows
|
||||
are welcome.
|
||||
|
||||
## Contributing
|
||||
|
||||
If you want to get involved or have ideas you'd like to chat about, we discuss this project in the [OSSF Best Practices Working Group](https://github.com/ossf/wg-best-practices-os-developers) meetings.
|
||||
|
||||
See the [Community Calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ) for the schedule and meeting invitations.
|
||||
|
||||
See the [Contributing](CONTRIBUTING.md) documentation for guidance on how to contribute.
|
||||
|
||||
## Community Meetings
|
||||
|
||||
The meetings happen biweekly https://calendar.google.com/calendar/embed?src=s63voefhp5i9pfltb5q67ngpes%40group.calendar.google.com&ctz=America%2FLos_Angeles
|
||||
|
||||
You are more than welcome to attend.
|
||||
If you want to get involved or have ideas you'd like to chat about, we discuss
|
||||
this project in the
|
||||
[OSSF Best Practices Working Group](https://github.com/ossf/wg-best-practices-os-developers)
|
||||
meetings.
|
||||
|
||||
See the
|
||||
[Community Calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ)
|
||||
for the schedule and meeting invitations. The meetings happen biweekly
|
||||
https://calendar.google.com/calendar/embed?src=s63voefhp5i9pfltb5q67ngpes%40group.calendar.google.com&ctz=America%2FLos_Angeles
|
||||
|
||||
See the [Contributing](CONTRIBUTING.md) documentation for guidance on how to
|
||||
contribute.
|
||||
|
31
roundtripper/README.md
Normal file
31
roundtripper/README.md
Normal file
@ -0,0 +1,31 @@
|
||||
## Caching
|
||||
|
||||
Scorecard uses `httpcache` with
|
||||
<https://docs.github.com/en/rest/overview/resources-in-the-rest-api#conditional-requests>
|
||||
for caching httpresponse. The default cache is in-memory.
|
||||
|
||||
Some details on caching
|
||||
<https://github.com/ossf/scorecard/issues/80#issuecomment-782723182>
|
||||
|
||||
### Blob Cache
|
||||
|
||||
Scorecard results can be cached into a blob for increasing throughput for
|
||||
subsequent runs.
|
||||
|
||||
To use blob cache two env variables have to be set `USE_BLOB_CACHE=true` and
|
||||
`BLOB_URL=gs://scorecards-cache/`.
|
||||
|
||||
The code uses <https://github.com/google/go-cloud> for blob caching. It is
|
||||
compatible with GCS,S3 and Azure blob.
|
||||
|
||||
### Disk Cache
|
||||
|
||||
Scorecard results can be cached into a disk for increasing throughput for
|
||||
subsequent runs.
|
||||
|
||||
To use disk cache two env variables have to be set `USE_DISK_CACHE=true` and
|
||||
`DISK_CACHE_PATH=./cache`.
|
||||
|
||||
There is no TTL on cache.
|
||||
|
||||
The default cache size is 10GB.
|
Loading…
Reference in New Issue
Block a user