ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-08-16 03:40:31 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

📖 Use scorecard (singular) consistently (#2428)

Browse Source 
* Use scorecard (singular) consistently
* Use OpenSSF instead of Security in name and add FAQ entry
This commit is contained in:
Arnaud J Le Hors 2022-12-01 10:36:12 +01:00 committed by GitHub
parent c61f6bc297
commit c3f4e31c28
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 91 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CONTRIBUTING.md
View File

@ -1,6 +1,6 @@
# Contributing to Security Scorecards
# Contributing to OpenSSF Scorecard
Thank you for contributing your time and expertise to the Security Scorecards
Thank you for contributing your time and expertise to the OpenSSF Scorecard
project. This document describes the contribution guidelines for the project.
**Note:** Before you start contributing, you must read and abide by our

88
README.md
View File

@ -1,4 +1,4 @@
# Security Scorecards
# OpenSSF Scorecard
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard/badge)](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard)
[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/5621/badge)](https://bestpractices.coreinfrastructure.org/projects/5621)
@ -14,16 +14,16 @@
## Overview
- [What Is Scorecards?](#what-is-scorecards)
- [Prominent Scorecards Users](#prominent-scorecards-users)
- [Scorecards' Public Data](#public-data)
- [What Is Scorecard?](#what-is-scorecard)
- [Prominent Scorecard Users](#prominent-scorecard-users)
- [Scorecard' Public Data](#public-data)
## Using Scorecards
## Using Scorecard
- [Scorecards GitHub Action](#scorecards-github-action)
- [Scorecards REST API](#scorecards-rest-api)
- [Scorecards Badges](#scorecards-badges)
- [Scorecards Command Line Interface](#scorecards-command-line-interface)
- [Scorecard GitHub Action](#scorecard-github-action)
- [Scorecard REST API](#scorecard-rest-api)
- [Scorecard Badges](#scorecard-badges)
- [Scorecard Command Line Interface](#scorecard-command-line-interface)
- [Prerequisites](#prerequisites)
- [Installation](#installation)
- [Authentication](#authentication)
@ -31,7 +31,7 @@
## Checks
- [Default Scorecards Checks](#scorecard-checks)
- [Default Scorecard Checks](#scorecard-checks)
- [Detailed Check Documentation](docs/checks.md) (Scoring Criteria, Risks, and
Remediation)
@ -42,9 +42,9 @@
- [Report Problems](#report-problems)
- [Code of Conduct](CODE_OF_CONDUCT.md)
- [Contribute to Scorecards ](CONTRIBUTING.md)
- [Contribute to Scorecard ](CONTRIBUTING.md)
- [Add a New Check](checks/write.md)
- [Connect with the Scorecards Community](#connect-with-the-scorecards-community)
- [Connect with the Scorecard Community](#connect-with-the-scorecard-community)
- [Report a Security Issue](SECURITY.md)
## FAQ
@ -53,12 +53,12 @@
## Overview
### What is Scorecards?
We created Scorecards to help open source maintainers improve their security
### What is Scorecard?
We created Scorecard to help open source maintainers improve their security
best practices and to help open source consumers judge whether their dependencies
are safe.
Scorecards is an automated tool that assesses a number of important heuristics
Scorecard is an automated tool that assesses a number of important heuristics
[("checks")](#scorecard-checks) associated with software security and assigns
each check a score of 0-10. You can use these scores to understand specific
areas to improve in order to strengthen the security posture of your project.
@ -66,7 +66,7 @@ You can also assess the risks that dependencies introduce, and make informed
decisions about accepting these risks, evaluating alternative solutions, or
working with the maintainers to make improvements.
The inspiration for Scorecards logo:
The inspiration for Scorecards logo:
["You passed! All D's ... and an A!"](https://youtu.be/rDMMYT3vkTk)
#### Project Goals
@ -77,10 +77,10 @@ The inspiration for Scorecards logo:
1. Use this data to proactively improve the security posture of the critical
projects the world depends on.
### Prominent Scorecards Users
### Prominent Scorecard Users
Scorecards has been run on thousands of projects to monitor and track security
metrics. Prominent projects that use Scorecards include:
Scorecard has been run on thousands of projects to monitor and track security
metrics. Prominent projects that use Scorecard include:
- [Tensorflow](https://github.com/tensorflow/tensorflow)
- [Angular](https://github.com/angular/angular)
@ -90,7 +90,7 @@ metrics. Prominent projects that use Scorecards include:
### Public Data
We run a weekly Scorecards scan of the 1 million most critical open source
We run a weekly Scorecard scan of the 1 million most critical open source
projects judged by their direct dependencies and publish the results in a
[BigQuery public dataset](https://cloud.google.com/bigquery/public-data).
@ -128,29 +128,29 @@ send a Pull Request with others. Currently, this list is derived from **projects
hosted on GitHub ONLY**. We do plan to expand them in near future to account for
projects hosted on other source control systems.
## Using Scorecards
## Using Scorecard
### Scorecards GitHub Action
### Scorecard GitHub Action
The easiest way to use Scorecards on GitHub projects you own is with the
[Scorecards GitHub Action](https://github.com/ossf/scorecard-action). The Action
The easiest way to use Scorecard on GitHub projects you own is with the
[Scorecard GitHub Action](https://github.com/ossf/scorecard-action). The Action
runs on any repository change and issues alerts that maintainers can view in the
repositorys Security tab. For more information, see the Scorecards GitHub
repositorys Security tab. For more information, see the Scorecard GitHub
Action
[installation instructions](https://github.com/ossf/scorecard-action#installation).
### Scorecards REST API
### Scorecard REST API
To query pre-calculated scores of OSS projects, use the [REST API](https://api.securityscorecards.dev).
To enable your project to be available on the REST API, set
[`publish_results: true`](https://github.com/ossf/scorecard-action/blob/dd5015aaf9688596b0e6d11e7f24fff566aa366b/action.yaml#L35)
in the Scorecards GitHub Action setting.
in the Scorecard GitHub Action setting.
### Scorecards Badges
### Scorecard Badges
Enabling [`publish_results: true`](https://github.com/ossf/scorecard-action/blob/dd5015aaf9688596b0e6d11e7f24fff566aa366b/action.yaml#L35)
in Scorecards GitHub Actions also allows maintainers to display a Scorecard badge on their repository to show off their
in Scorecard GitHub Actions also allows maintainers to display a Scorecard badge on their repository to show off their
hard work. This badge also auto-updates for every change made to the repository.
To include a badge on your project's repository, simply add the following markdown to your README:
@ -159,18 +159,18 @@ To include a badge on your project's repository, simply add the following markdo
Scorecard](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo}/badge)](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo})
```
### Scorecards Command Line Interface
### Scorecard Command Line Interface
To run a Scorecards scan on projects you do not own, use the command line
To run a Scorecard scan on projects you do not own, use the command line
interface installation option.
#### Prerequisites
Platforms: Currently, Scorecards supports OSX and Linux platforms. If you are
Platforms: Currently, Scorecard supports OSX and Linux platforms. If you are
using a Windows OS you may experience issues. Contributions towards supporting
Windows are welcome.
Language: You must have GoLang installed to run Scorecards
Language: You must have GoLang installed to run Scorecard
(https://golang.org/doc/install)
#### Installation
@ -183,7 +183,7 @@ Language: You must have GoLang installed to run Scorecards
docker pull gcr.io/openssf/scorecard:stable
```
To use a specific scorecards version (e.g., v3.2.1), run:
To use a specific scorecard version (e.g., v3.2.1), run:
```shell
docker pull gcr.io/openssf/scorecard:v3.2.1
@ -191,7 +191,7 @@ docker pull gcr.io/openssf/scorecard:v3.2.1
##### Standalone
To install Scorecards as a standalone:
To install Scorecard as a standalone:
Visit our latest [release page](https://github.com/ossf/scorecard/releases/latest) and
download the correct zip file for your operating system.
@ -263,7 +263,7 @@ These variables can be obtained from the GitHub
##### Using repository URL
Scorecards can run using just one argument, the URL of the target repo:
Scorecard can run using just one argument, the URL of the target repo:
```shell
$ scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e
@ -360,7 +360,7 @@ The `GITHUB_AUTH_TOKEN` has to be set to a valid [token](#Authentication)
docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/ossf/scorecard
```
To use a specific scorecards version (e.g., v3.2.1), run:
To use a specific scorecard version (e.g., v3.2.1), run:
```shell
docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:v3.2.1 --show-details --repo=https://github.com/ossf/scorecard
@ -404,7 +404,7 @@ RESULTS
##### Using a Package manager
For projects in the `--npm`, `--pypi`, or `--rubygems` ecosystems, you have the
option to run Scorecards using a package manager. Provide the package name to
option to run Scorecard using a package manager. Provide the package name to
run the checks on the corresponding GitHub source code.
For example, `--npm=angular`.
@ -461,7 +461,7 @@ remediation steps, check out the [checks documentation page](docs/checks.md).
### Aggregate Score
Each individual check returns a score of 0 to 10, with 10 representing the best
possible score. Scorecards also produces an aggregate score, which is a
possible score. Scorecard also produces an aggregate score, which is a
weight-based average of the individual checks weighted by risk.
* “Critical” risk checks are weighted at 10
@ -469,7 +469,7 @@ weight-based average of the individual checks weighted by risk.
* “Medium” risk checks are weighted at 5
* “Low” risk checks are weighted at 2.5
See the [list of current Scorecards checks](#scorecard-checks) for each check's
See the [list of current Scorecard checks](#scorecard-checks) for each check's
risk level.
## Contribute
@ -481,7 +481,7 @@ If you have what looks like a bug, please use the
you file an issue, please search existing issues to see if your issue is already
covered.
### Contribute to Scorecards
### Contribute to Scorecard
Before contributing, please follow our [Code of Conduct](CODE_OF_CONDUCT.md).
@ -492,9 +492,9 @@ contribute to the project.
If you'd like to add a check, please see guidance [here](checks/write.md).
### Connect with the Scorecards Community
### Connect with the Scorecard Community
If you want to get involved in the Scorecards community or have ideas you'd like
If you want to get involved in the Scorecard community or have ideas you'd like
to chat about, we discuss this project in the
[OSSF Best Practices Working Group](https://github.com/ossf/wg-best-practices-os-developers)
meetings.
@ -529,4 +529,4 @@ To report a security issue, please follow instructions [here](SECURITY.md).
### FAQ
See the [FAQ](docs/faq.md) for answers to Frequently Asked Questions about Scorecards.
See the [FAQ](docs/faq.md) for answers to Frequently Asked Questions about Scorecard.

4
attestor/command/check.go
View File

@ -102,7 +102,7 @@ func runCheck() (policy.PolicyResult, error) {
}
}
repoResult, err := pkg.RunScorecards(
repoResult, err := pkg.RunScorecard(
ctx,
repo,
commitSHA,
@ -114,7 +114,7 @@ func runCheck() (policy.PolicyResult, error) {
vulnsClient,
)
if err != nil {
return policy.Fail, fmt.Errorf("RunScorecards: %w", err)
return policy.Fail, fmt.Errorf("RunScorecard: %w", err)
}
result, err := attestationPolicy.EvaluateResults(&repoResult.RawResults)

8
cmd/root.go
View File

@ -36,10 +36,10 @@ import (
)
const (
scorecardLong = "A program that shows security scorecard for an open source software."
scorecardLong = "A program that shows the OpenSSF scorecard for an open source software."
scorecardUse = `./scorecard (--repo=<repo> | --local=<folder> | --{npm,pypi,rubygems}=<package_name>)
[--checks=check1,...] [--show-details]`
scorecardShort = "Security Scorecards"
scorecardShort = "OpenSSF Scorecard"
)
// New creates a new instance of the scorecard command.
@ -124,7 +124,7 @@ func rootCmd(o *options.Options) error {
}
}
repoResult, err := pkg.RunScorecards(
repoResult, err := pkg.RunScorecard(
ctx,
repoURI,
o.Commit,
@ -136,7 +136,7 @@ func rootCmd(o *options.Options) error {
vulnsClient,
)
if err != nil {
return fmt.Errorf("RunScorecards: %w", err)
return fmt.Errorf("RunScorecard: %w", err)
}
repoResult.Metadata = append(repoResult.Metadata, o.Metadata...)

2
cmd/serve.go
View File

@ -69,7 +69,7 @@ func serveCmd(o *options.Options) *cobra.Command {
defer ossFuzzRepoClient.Close()
ciiClient := clients.DefaultCIIBestPracticesClient()
checksToRun := checks.GetAll()
repoResult, err := pkg.RunScorecards(
repoResult, err := pkg.RunScorecard(
ctx, repo, clients.HeadSHA /*commitSHA*/, o.CommitDepth, checksToRun, repoClient,
ossFuzzRepoClient, ciiClient, vulnsClient)
if err != nil {

4
cron/internal/worker/main.go
View File

@ -164,14 +164,14 @@ func processRequest(ctx context.Context,
delete(checksToRun, check)
}
result, err := pkg.RunScorecards(ctx, repo, commitSHA, 0, checksToRun,
result, err := pkg.RunScorecard(ctx, repo, commitSHA, 0, checksToRun,
repoClient, ossFuzzRepoClient, ciiClient, vulnsClient)
if errors.Is(err, sce.ErrRepoUnreachable) {
// Not accessible repo - continue.
continue
}
if err != nil {
return fmt.Errorf("error during RunScorecards: %w", err)
return fmt.Errorf("error during RunScorecard: %w", err)
}
for checkIndex := range result.Checks {
check := &result.Checks[checkIndex]

2
dependencydiff/dependencydiff.go
View File

@ -155,7 +155,7 @@ func getScorecardCheckResults(dCtx *dependencydiffContext) error {
// Run scorecard on those types of dependencies that the caller would like to check.
// If the input map changeTypesToCheck is empty, by default, we run the checks for all valid types.
// TODO (#2064): use the Scorecare REST API to retrieve the Scorecard result statelessly.
scorecardResult, err := pkg.RunScorecards(
scorecardResult, err := pkg.RunScorecard(
dCtx.ctx,
dCtx.ghRepo,
// TODO (#2065): In future versions, ideally, this should be

8
docs/checks.md
View File

@ -34,7 +34,7 @@ Problems with generated executable (binary) artifacts:
the source repository (since the executable generation process is less
likely to have atrophied).
Allowed by Scorecards:
Allowed by Scorecard:
- Files in the source repository that are simultaneously reviewable source
code and executables, since these are reviewable. (Some interpretive
@ -186,7 +186,7 @@ To earn the passing badge, the project MUST:
- apply at least one static code analysis tool (beyond compiler warnings and
"safe" language modes) to any proposed major production release.
Some of these criteria overlap with other Scorecards checks.
Some of these criteria overlap with other Scorecard checks.
**Remediation steps**
@ -442,9 +442,9 @@ You can create a package in several ways:
Note: A project that fulfills this criterion with other tools may still receive
a low score on this test. There are many ways to package software, and it is
challenging for an automated tool like Scorecards to detect them all. A low
challenging for an automated tool like Scorecard to detect them all. A low
score is therefore not a definitive indication that the project is at risk. If
Scorecards fails to detect the way you publish a package and you think we should
Scorecard fails to detect the way you publish a package and you think we should
support your use case, please let us know by [opening an
issue](https://github.com/ossf/scorecard/issues/new/choose).

8
docs/checks/internal/checks.yaml
View File

@ -119,7 +119,7 @@ checks:
the source repository (since the executable generation process is less
likely to have atrophied).
Allowed by Scorecards:
Allowed by Scorecard:
- Files in the source repository that are simultaneously reviewable source
code and executables, since these are reviewable. (Some interpretive
@ -284,7 +284,7 @@ checks:
- apply at least one static code analysis tool (beyond compiler warnings and
"safe" language modes) to any proposed major production release.
Some of these criteria overlap with other Scorecards checks.
Some of these criteria overlap with other Scorecard checks.
remediation:
- >-
Sign up for the [OpenSSF Best Practices program](https://bestpractices.coreinfrastructure.org/).
@ -441,9 +441,9 @@ checks:
Note: A project that fulfills this criterion with other tools may still receive
a low score on this test. There are many ways to package software, and it is
challenging for an automated tool like Scorecards to detect them all. A low
challenging for an automated tool like Scorecard to detect them all. A low
score is therefore not a definitive indication that the project is at risk. If
Scorecards fails to detect the way you publish a package and you think we should
Scorecard fails to detect the way you publish a package and you think we should
support your use case, please let us know by [opening an
issue](https://github.com/ossf/scorecard/issues/new/choose).
remediation:

4
docs/design/scalable_scorecards.md → docs/design/scalable_scorecard.md
View File

@ -1,4 +1,4 @@
# Scalable Scorecards
# Scalable Scorecard
Scale OSSF Scorecard to 100k+ repositories.
@ -308,4 +308,4 @@ this end, we need efforts to:
* Add non-hermetic tests which are not flaky and do not fail based on
environment variables and access to GCS.
* Better unit test coverage to add confidence for any incoming PRs.
* Better documentation.
* Better documentation.

33
docs/faq.md
View File

@ -1,16 +1,17 @@
# Frequently Asked Questions
This page answers frequently asked questions about Scorecards, including its purpose, usage, and checks. This page is continually updated. If you would like to add a question, please [contribute](../CONTRIBUTING.md)!
This page answers frequently asked questions about Scorecard, including its purpose, usage, and checks. This page is continually updated. If you would like to add a question, please [contribute](../CONTRIBUTING.md)!
## Installation / Usage
- [Can I preview my project's score?](#can-i-preview-my-projects-score)
- [What is the difference between Scorecards and other Code Scanning tools?](#what-is-the-difference-between-scorecards-and-other-code-scanning-tools)
- [What is the difference between Scorecard and other Code Scanning tools?](#what-is-the-difference-between-scorecard-and-other-code-scanning-tools)
- [Wasn't this project called "Scorecards" (plural)?](#wasnt-this-project-called-scorecards-plural)
## Check-Specific Questions
- [Binary-Artifacts: Can I allowlist testing artifacts?](#binary-artifacts-can-i-allowlist-testing-artifacts)
- [Code-Review: Can it ignore bot commits?](#code-review-can-it-ignore-bot-commits)
- [Fuzzing: Does Scorecards accept custom fuzzers?](#fuzzing-does-scorecards-accept-custom-fuzzers)
- [Pinned-Dependencies: Will Scorecards detect unpinned dependencies in tests with Dockerfiles?](#pinned-dependencies-will-scorecards-detect-unpinned-dependencies-in-tests-with-dockerfiles)
- [Fuzzing: Does Scorecard accept custom fuzzers?](#fuzzing-does-scorecard-accept-custom-fuzzers)
- [Pinned-Dependencies: Will Scorecard detect unpinned dependencies in tests with Dockerfiles?](#pinned-dependencies-will-scorecard-detect-unpinned-dependencies-in-tests-with-dockerfiles)
- [Pinned-Dependencies: Can I use version pinning instead of hash pinning?](#pinned-dependencies-can-i-use-version-pinning-instead-of-hash-pinning)
- [Signed-Releases: Why sign releases?](#signed-releases-why-sign-releases)
@ -22,7 +23,7 @@ This page answers frequently asked questions about Scorecards, including its pur
Yes.
Over a million projects are automatically tracked by the Scorecards project. These projects' scores can be seen at https://api.securityscorecards.dev/projects/github.com/<username_or_org>/<repository_name>.
Over a million projects are automatically tracked by the Scorecard project. These projects' scores can be seen at https://api.securityscorecards.dev/projects/github.com/<username_or_org>/<repository_name>.
You can also use the CLI to generate scores for any public repository by following these steps:
@ -30,17 +31,21 @@ You can also use the CLI to generate scores for any public repository by followi
2. [Authentication](https://github.com/ossf/scorecard#authentication)
3. [Basic Usage](https://github.com/ossf/scorecard#basic-usage)
### What is the difference between Scorecards and other Code Scanning tools?
### What is the difference between Scorecard and other Code Scanning tools?
Most code scanning tools are focused on detecting specific vulnerabilities already existing in your codebase. Scorecards, however, is focused on improving the project's overall security posture by helping it adopt best practices. The best solution for your project may well be to adopt Scorecards along with other tools!
Most code scanning tools are focused on detecting specific vulnerabilities already existing in your codebase. Scorecard, however, is focused on improving the project's overall security posture by helping it adopt best practices. The best solution for your project may well be to adopt Scorecard along with other tools!
### Wasn't this project called "Scorecards" (plural)?
Yes, kind of. The project was initially called "Security Scorecards" but that form wasn't used consistently. In particular, the repo was named "scorecard" and so was the program. Over time people started referring to either form (singular and plural) and the inconsitency became prevalent. To end this situation the decision was made to consolidate over the use of the singular form in keeping with the repo and program name, drop the "Security" part and use "OpenSSF" instead to ensure uniqueness. One should therefore refer to this project as "OpenSSF Scorecard" or "Scorecard" for short.
## Check-specific Questions
### Binary-Artifacts: Can I allowlist testing artifacts?
Scorecards lowers projects' scores whenever it detects binary artifacts. However, many projects use binary artifacts strictly for testing purposes.
Scorecard lowers projects' scores whenever it detects binary artifacts. However, many projects use binary artifacts strictly for testing purposes.
While it isn't currently possible to allowlist such binaries, the Scorecards team is working on this feature ([#1270](https://github.com/ossf/scorecard/issues/1270)).
While it isn't currently possible to allowlist such binaries, the Scorecard team is working on this feature ([#1270](https://github.com/ossf/scorecard/issues/1270)).
### Code-Review: Can it ignore bot commits?
@ -49,17 +54,17 @@ This is quite a complex question. Right now, there is no way to do that. Here ar
- Pros: Some bots run very frequently; for some projects, reviewing every change is therefore not feasible or reasonable.
- Cons: Bots can be compromised (their credentials can be compromised, for example). Or if commits are not signed, an attacker could easily send a commit spoofing the bot. This means that a bot having unsupervised write access to the repository could be a security risk.
However, this is being discussed by the Scorecards Team ([#2302](https://github.com/ossf/scorecard/issues/2302)).
However, this is being discussed by the Scorecard Team ([#2302](https://github.com/ossf/scorecard/issues/2302)).
### Fuzzing: Does Scorecards accept custom fuzzers?
### Fuzzing: Does Scorecard accept custom fuzzers?
Currently only for projects written in Go.
For more information, see the [Fuzzing check description](https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing).
### Pinned-Dependencies: Will Scorecards detect unpinned dependencies in tests with Dockerfiles?
### Pinned-Dependencies: Will Scorecard detect unpinned dependencies in tests with Dockerfiles?
Scorecards can show the dependencies that are referred to in tests like Dockerfiles, so it could be a great way for you to fix those dependencies and avoid the vulnerabilities related to version pinning dependencies. To see more about the benefits of hash pinning instead of version pinning, please see the [Pinned-Dependencies check description](/checks.md#pinned-dependencies)
Scorecard can show the dependencies that are referred to in tests like Dockerfiles, so it could be a great way for you to fix those dependencies and avoid the vulnerabilities related to version pinning dependencies. To see more about the benefits of hash pinning instead of version pinning, please see the [Pinned-Dependencies check description](/checks.md#pinned-dependencies)
### Pinned-Dependencies: Can I use version pinning instead of hash pinning?
Version pinning is a significant improvement over not pinning your dependencies. However, it still leaves your project vulnerable to tag-renaming attacks (where a dependency's tags are deleted and recreated to point to a malicious commit).
@ -74,4 +79,4 @@ Currently, the main benefit of [signed releases](/checks.md#signed-releases) is
However, there are already moves to make it even more relevant. For example, the OpenSSF is working on [implementing signature verification for NPM packages](https://github.blog/2022-08-08-new-request-for-comments-on-improving-npm-security-with-sigstore-is-now-open/) which would allow a consumer to automatically verify if the package they are downloading was generated through a reliable builder and if it is correctly signed.
Signing releases already has some relevance and it will soon offer even more security benefits for both consumers and maintainers.
Signing releases already has some relevance and it will soon offer even more security benefits for both consumers and maintainers.

4
pkg/scorecard.go
View File

@ -80,8 +80,8 @@ func getRepoCommitHash(r clients.RepoClient) (string, error) {
return "", nil
}
// RunScorecards runs enabled Scorecard checks on a Repo.
func RunScorecards(ctx context.Context,
// RunScorecard runs enabled Scorecard checks on a Repo.
func RunScorecard(ctx context.Context,
repo clients.Repo,
commitSHA string,
commitDepth int,

8
pkg/scorecard_test.go
View File

@ -118,7 +118,7 @@ func Test_getRepoCommitHashLocal(t *testing.T) {
}
}
func TestRunScorecards(t *testing.T) {
func TestRunScorecard(t *testing.T) {
t.Parallel()
type args struct {
commitSHA string
@ -163,13 +163,13 @@ func TestRunScorecards(t *testing.T) {
}, nil
})
defer ctrl.Finish()
got, err := RunScorecards(context.Background(), repo, tt.args.commitSHA, 0, nil, mockRepoClient, nil, nil, nil)
got, err := RunScorecard(context.Background(), repo, tt.args.commitSHA, 0, nil, mockRepoClient, nil, nil, nil)
if (err != nil) != tt.wantErr {
t.Errorf("RunScorecards() error = %v, wantErr %v", err, tt.wantErr)
t.Errorf("RunScorecard() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("RunScorecards() got = %v, want %v", got, tt.want)
t.Errorf("RunScorecard() got = %v, want %v", got, tt.want)
}
})
}