diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ca8ab5c0..863597fa 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,6 +1,6 @@ -# Contributing to Security Scorecards +# Contributing to OpenSSF Scorecard -Thank you for contributing your time and expertise to the Security Scorecards +Thank you for contributing your time and expertise to the OpenSSF Scorecard project. This document describes the contribution guidelines for the project. **Note:** Before you start contributing, you must read and abide by our diff --git a/README.md b/README.md index f890a60a..6e95263c 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Security Scorecards +# OpenSSF Scorecard [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard/badge)](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard) [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/5621/badge)](https://bestpractices.coreinfrastructure.org/projects/5621) @@ -14,16 +14,16 @@ ## Overview -- [What Is Scorecards?](#what-is-scorecards) -- [Prominent Scorecards Users](#prominent-scorecards-users) -- [Scorecards' Public Data](#public-data) +- [What Is Scorecard?](#what-is-scorecard) +- [Prominent Scorecard Users](#prominent-scorecard-users) +- [Scorecard' Public Data](#public-data) -## Using Scorecards +## Using Scorecard -- [Scorecards GitHub Action](#scorecards-github-action) -- [Scorecards REST API](#scorecards-rest-api) -- [Scorecards Badges](#scorecards-badges) -- [Scorecards Command Line Interface](#scorecards-command-line-interface) +- [Scorecard GitHub Action](#scorecard-github-action) +- [Scorecard REST API](#scorecard-rest-api) +- [Scorecard Badges](#scorecard-badges) +- [Scorecard Command Line Interface](#scorecard-command-line-interface) - [Prerequisites](#prerequisites) - [Installation](#installation) - [Authentication](#authentication) @@ -31,7 +31,7 @@ ## Checks -- [Default Scorecards Checks](#scorecard-checks) +- [Default Scorecard Checks](#scorecard-checks) - [Detailed Check Documentation](docs/checks.md) (Scoring Criteria, Risks, and Remediation) @@ -42,9 +42,9 @@ - [Report Problems](#report-problems) - [Code of Conduct](CODE_OF_CONDUCT.md) -- [Contribute to Scorecards ](CONTRIBUTING.md) +- [Contribute to Scorecard ](CONTRIBUTING.md) - [Add a New Check](checks/write.md) -- [Connect with the Scorecards Community](#connect-with-the-scorecards-community) +- [Connect with the Scorecard Community](#connect-with-the-scorecard-community) - [Report a Security Issue](SECURITY.md) ## FAQ @@ -53,12 +53,12 @@ ## Overview -### What is Scorecards? -We created Scorecards to help open source maintainers improve their security +### What is Scorecard? +We created Scorecard to help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe. -Scorecards is an automated tool that assesses a number of important heuristics +Scorecard is an automated tool that assesses a number of important heuristics [("checks")](#scorecard-checks) associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. @@ -66,7 +66,7 @@ You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements. -The inspiration for Scorecards’ logo: +The inspiration for Scorecard’s logo: ["You passed! All D's ... and an A!"](https://youtu.be/rDMMYT3vkTk) #### Project Goals @@ -77,10 +77,10 @@ The inspiration for Scorecards’ logo: 1. Use this data to proactively improve the security posture of the critical projects the world depends on. -### Prominent Scorecards Users +### Prominent Scorecard Users -Scorecards has been run on thousands of projects to monitor and track security -metrics. Prominent projects that use Scorecards include: +Scorecard has been run on thousands of projects to monitor and track security +metrics. Prominent projects that use Scorecard include: - [Tensorflow](https://github.com/tensorflow/tensorflow) - [Angular](https://github.com/angular/angular) @@ -90,7 +90,7 @@ metrics. Prominent projects that use Scorecards include: ### Public Data -We run a weekly Scorecards scan of the 1 million most critical open source +We run a weekly Scorecard scan of the 1 million most critical open source projects judged by their direct dependencies and publish the results in a [BigQuery public dataset](https://cloud.google.com/bigquery/public-data). @@ -128,29 +128,29 @@ send a Pull Request with others. Currently, this list is derived from **projects hosted on GitHub ONLY**. We do plan to expand them in near future to account for projects hosted on other source control systems. -## Using Scorecards +## Using Scorecard -### Scorecards GitHub Action +### Scorecard GitHub Action -The easiest way to use Scorecards on GitHub projects you own is with the -[Scorecards GitHub Action](https://github.com/ossf/scorecard-action). The Action +The easiest way to use Scorecard on GitHub projects you own is with the +[Scorecard GitHub Action](https://github.com/ossf/scorecard-action). The Action runs on any repository change and issues alerts that maintainers can view in the -repository’s Security tab. For more information, see the Scorecards GitHub +repository’s Security tab. For more information, see the Scorecard GitHub Action [installation instructions](https://github.com/ossf/scorecard-action#installation). -### Scorecards REST API +### Scorecard REST API To query pre-calculated scores of OSS projects, use the [REST API](https://api.securityscorecards.dev). To enable your project to be available on the REST API, set [`publish_results: true`](https://github.com/ossf/scorecard-action/blob/dd5015aaf9688596b0e6d11e7f24fff566aa366b/action.yaml#L35) -in the Scorecards GitHub Action setting. +in the Scorecard GitHub Action setting. -### Scorecards Badges +### Scorecard Badges Enabling [`publish_results: true`](https://github.com/ossf/scorecard-action/blob/dd5015aaf9688596b0e6d11e7f24fff566aa366b/action.yaml#L35) -in Scorecards GitHub Actions also allows maintainers to display a Scorecard badge on their repository to show off their +in Scorecard GitHub Actions also allows maintainers to display a Scorecard badge on their repository to show off their hard work. This badge also auto-updates for every change made to the repository. To include a badge on your project's repository, simply add the following markdown to your README: @@ -159,18 +159,18 @@ To include a badge on your project's repository, simply add the following markdo Scorecard](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo}/badge)](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo}) ``` -### Scorecards Command Line Interface +### Scorecard Command Line Interface -To run a Scorecards scan on projects you do not own, use the command line +To run a Scorecard scan on projects you do not own, use the command line interface installation option. #### Prerequisites -Platforms: Currently, Scorecards supports OSX and Linux platforms. If you are +Platforms: Currently, Scorecard supports OSX and Linux platforms. If you are using a Windows OS you may experience issues. Contributions towards supporting Windows are welcome. -Language: You must have GoLang installed to run Scorecards +Language: You must have GoLang installed to run Scorecard (https://golang.org/doc/install) #### Installation @@ -183,7 +183,7 @@ Language: You must have GoLang installed to run Scorecards docker pull gcr.io/openssf/scorecard:stable ``` -To use a specific scorecards version (e.g., v3.2.1), run: +To use a specific scorecard version (e.g., v3.2.1), run: ```shell docker pull gcr.io/openssf/scorecard:v3.2.1 @@ -191,7 +191,7 @@ docker pull gcr.io/openssf/scorecard:v3.2.1 ##### Standalone -To install Scorecards as a standalone: +To install Scorecard as a standalone: Visit our latest [release page](https://github.com/ossf/scorecard/releases/latest) and download the correct zip file for your operating system. @@ -263,7 +263,7 @@ These variables can be obtained from the GitHub ##### Using repository URL -Scorecards can run using just one argument, the URL of the target repo: +Scorecard can run using just one argument, the URL of the target repo: ```shell $ scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e @@ -360,7 +360,7 @@ The `GITHUB_AUTH_TOKEN` has to be set to a valid [token](#Authentication) docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/ossf/scorecard ``` -To use a specific scorecards version (e.g., v3.2.1), run: +To use a specific scorecard version (e.g., v3.2.1), run: ```shell docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:v3.2.1 --show-details --repo=https://github.com/ossf/scorecard @@ -404,7 +404,7 @@ RESULTS ##### Using a Package manager For projects in the `--npm`, `--pypi`, or `--rubygems` ecosystems, you have the -option to run Scorecards using a package manager. Provide the package name to +option to run Scorecard using a package manager. Provide the package name to run the checks on the corresponding GitHub source code. For example, `--npm=angular`. @@ -461,7 +461,7 @@ remediation steps, check out the [checks documentation page](docs/checks.md). ### Aggregate Score Each individual check returns a score of 0 to 10, with 10 representing the best -possible score. Scorecards also produces an aggregate score, which is a +possible score. Scorecard also produces an aggregate score, which is a weight-based average of the individual checks weighted by risk. * “Critical” risk checks are weighted at 10 @@ -469,7 +469,7 @@ weight-based average of the individual checks weighted by risk. * “Medium” risk checks are weighted at 5 * “Low” risk checks are weighted at 2.5 -See the [list of current Scorecards checks](#scorecard-checks) for each check's +See the [list of current Scorecard checks](#scorecard-checks) for each check's risk level. ## Contribute @@ -481,7 +481,7 @@ If you have what looks like a bug, please use the you file an issue, please search existing issues to see if your issue is already covered. -### Contribute to Scorecards +### Contribute to Scorecard Before contributing, please follow our [Code of Conduct](CODE_OF_CONDUCT.md). @@ -492,9 +492,9 @@ contribute to the project. If you'd like to add a check, please see guidance [here](checks/write.md). -### Connect with the Scorecards Community +### Connect with the Scorecard Community -If you want to get involved in the Scorecards community or have ideas you'd like +If you want to get involved in the Scorecard community or have ideas you'd like to chat about, we discuss this project in the [OSSF Best Practices Working Group](https://github.com/ossf/wg-best-practices-os-developers) meetings. @@ -529,4 +529,4 @@ To report a security issue, please follow instructions [here](SECURITY.md). ### FAQ -See the [FAQ](docs/faq.md) for answers to Frequently Asked Questions about Scorecards. +See the [FAQ](docs/faq.md) for answers to Frequently Asked Questions about Scorecard. diff --git a/attestor/command/check.go b/attestor/command/check.go index 36826387..1b660d8a 100644 --- a/attestor/command/check.go +++ b/attestor/command/check.go @@ -102,7 +102,7 @@ func runCheck() (policy.PolicyResult, error) { } } - repoResult, err := pkg.RunScorecards( + repoResult, err := pkg.RunScorecard( ctx, repo, commitSHA, @@ -114,7 +114,7 @@ func runCheck() (policy.PolicyResult, error) { vulnsClient, ) if err != nil { - return policy.Fail, fmt.Errorf("RunScorecards: %w", err) + return policy.Fail, fmt.Errorf("RunScorecard: %w", err) } result, err := attestationPolicy.EvaluateResults(&repoResult.RawResults) diff --git a/cmd/root.go b/cmd/root.go index 1979880e..079fa38b 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -36,10 +36,10 @@ import ( ) const ( - scorecardLong = "A program that shows security scorecard for an open source software." + scorecardLong = "A program that shows the OpenSSF scorecard for an open source software." scorecardUse = `./scorecard (--repo= | --local= | --{npm,pypi,rubygems}=) [--checks=check1,...] [--show-details]` - scorecardShort = "Security Scorecards" + scorecardShort = "OpenSSF Scorecard" ) // New creates a new instance of the scorecard command. @@ -124,7 +124,7 @@ func rootCmd(o *options.Options) error { } } - repoResult, err := pkg.RunScorecards( + repoResult, err := pkg.RunScorecard( ctx, repoURI, o.Commit, @@ -136,7 +136,7 @@ func rootCmd(o *options.Options) error { vulnsClient, ) if err != nil { - return fmt.Errorf("RunScorecards: %w", err) + return fmt.Errorf("RunScorecard: %w", err) } repoResult.Metadata = append(repoResult.Metadata, o.Metadata...) diff --git a/cmd/serve.go b/cmd/serve.go index e0a51661..2ad8419e 100644 --- a/cmd/serve.go +++ b/cmd/serve.go @@ -69,7 +69,7 @@ func serveCmd(o *options.Options) *cobra.Command { defer ossFuzzRepoClient.Close() ciiClient := clients.DefaultCIIBestPracticesClient() checksToRun := checks.GetAll() - repoResult, err := pkg.RunScorecards( + repoResult, err := pkg.RunScorecard( ctx, repo, clients.HeadSHA /*commitSHA*/, o.CommitDepth, checksToRun, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient) if err != nil { diff --git a/cron/internal/worker/main.go b/cron/internal/worker/main.go index 593019ec..1b8f0836 100644 --- a/cron/internal/worker/main.go +++ b/cron/internal/worker/main.go @@ -164,14 +164,14 @@ func processRequest(ctx context.Context, delete(checksToRun, check) } - result, err := pkg.RunScorecards(ctx, repo, commitSHA, 0, checksToRun, + result, err := pkg.RunScorecard(ctx, repo, commitSHA, 0, checksToRun, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient) if errors.Is(err, sce.ErrRepoUnreachable) { // Not accessible repo - continue. continue } if err != nil { - return fmt.Errorf("error during RunScorecards: %w", err) + return fmt.Errorf("error during RunScorecard: %w", err) } for checkIndex := range result.Checks { check := &result.Checks[checkIndex] diff --git a/dependencydiff/dependencydiff.go b/dependencydiff/dependencydiff.go index 20723ad9..c8096edb 100644 --- a/dependencydiff/dependencydiff.go +++ b/dependencydiff/dependencydiff.go @@ -155,7 +155,7 @@ func getScorecardCheckResults(dCtx *dependencydiffContext) error { // Run scorecard on those types of dependencies that the caller would like to check. // If the input map changeTypesToCheck is empty, by default, we run the checks for all valid types. // TODO (#2064): use the Scorecare REST API to retrieve the Scorecard result statelessly. - scorecardResult, err := pkg.RunScorecards( + scorecardResult, err := pkg.RunScorecard( dCtx.ctx, dCtx.ghRepo, // TODO (#2065): In future versions, ideally, this should be diff --git a/docs/checks.md b/docs/checks.md index 4584b9c7..58ebca8e 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -34,7 +34,7 @@ Problems with generated executable (binary) artifacts: the source repository (since the executable generation process is less likely to have atrophied). -Allowed by Scorecards: +Allowed by Scorecard: - Files in the source repository that are simultaneously reviewable source code and executables, since these are reviewable. (Some interpretive @@ -186,7 +186,7 @@ To earn the passing badge, the project MUST: - apply at least one static code analysis tool (beyond compiler warnings and "safe" language modes) to any proposed major production release. -Some of these criteria overlap with other Scorecards checks. +Some of these criteria overlap with other Scorecard checks. **Remediation steps** @@ -442,9 +442,9 @@ You can create a package in several ways: Note: A project that fulfills this criterion with other tools may still receive a low score on this test. There are many ways to package software, and it is -challenging for an automated tool like Scorecards to detect them all. A low +challenging for an automated tool like Scorecard to detect them all. A low score is therefore not a definitive indication that the project is at risk. If -Scorecards fails to detect the way you publish a package and you think we should +Scorecard fails to detect the way you publish a package and you think we should support your use case, please let us know by [opening an issue](https://github.com/ossf/scorecard/issues/new/choose). diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index 78566216..bb4188a5 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -119,7 +119,7 @@ checks: the source repository (since the executable generation process is less likely to have atrophied). - Allowed by Scorecards: + Allowed by Scorecard: - Files in the source repository that are simultaneously reviewable source code and executables, since these are reviewable. (Some interpretive @@ -284,7 +284,7 @@ checks: - apply at least one static code analysis tool (beyond compiler warnings and "safe" language modes) to any proposed major production release. - Some of these criteria overlap with other Scorecards checks. + Some of these criteria overlap with other Scorecard checks. remediation: - >- Sign up for the [OpenSSF Best Practices program](https://bestpractices.coreinfrastructure.org/). @@ -441,9 +441,9 @@ checks: Note: A project that fulfills this criterion with other tools may still receive a low score on this test. There are many ways to package software, and it is - challenging for an automated tool like Scorecards to detect them all. A low + challenging for an automated tool like Scorecard to detect them all. A low score is therefore not a definitive indication that the project is at risk. If - Scorecards fails to detect the way you publish a package and you think we should + Scorecard fails to detect the way you publish a package and you think we should support your use case, please let us know by [opening an issue](https://github.com/ossf/scorecard/issues/new/choose). remediation: diff --git a/docs/design/scalable_scorecards.md b/docs/design/scalable_scorecard.md similarity index 99% rename from docs/design/scalable_scorecards.md rename to docs/design/scalable_scorecard.md index a69b9f73..a2eade47 100644 --- a/docs/design/scalable_scorecards.md +++ b/docs/design/scalable_scorecard.md @@ -1,4 +1,4 @@ -# Scalable Scorecards +# Scalable Scorecard Scale OSSF Scorecard to 100k+ repositories. @@ -308,4 +308,4 @@ this end, we need efforts to: * Add non-hermetic tests which are not flaky and do not fail based on environment variables and access to GCS. * Better unit test coverage to add confidence for any incoming PRs. -* Better documentation. \ No newline at end of file +* Better documentation. diff --git a/docs/faq.md b/docs/faq.md index e3e995ef..b53c7c90 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -1,16 +1,17 @@ # Frequently Asked Questions -This page answers frequently asked questions about Scorecards, including its purpose, usage, and checks. This page is continually updated. If you would like to add a question, please [contribute](../CONTRIBUTING.md)! +This page answers frequently asked questions about Scorecard, including its purpose, usage, and checks. This page is continually updated. If you would like to add a question, please [contribute](../CONTRIBUTING.md)! ## Installation / Usage - [Can I preview my project's score?](#can-i-preview-my-projects-score) - - [What is the difference between Scorecards and other Code Scanning tools?](#what-is-the-difference-between-scorecards-and-other-code-scanning-tools) + - [What is the difference between Scorecard and other Code Scanning tools?](#what-is-the-difference-between-scorecard-and-other-code-scanning-tools) + - [Wasn't this project called "Scorecards" (plural)?](#wasnt-this-project-called-scorecards-plural) ## Check-Specific Questions - [Binary-Artifacts: Can I allowlist testing artifacts?](#binary-artifacts-can-i-allowlist-testing-artifacts) - [Code-Review: Can it ignore bot commits?](#code-review-can-it-ignore-bot-commits) - - [Fuzzing: Does Scorecards accept custom fuzzers?](#fuzzing-does-scorecards-accept-custom-fuzzers) - - [Pinned-Dependencies: Will Scorecards detect unpinned dependencies in tests with Dockerfiles?](#pinned-dependencies-will-scorecards-detect-unpinned-dependencies-in-tests-with-dockerfiles) + - [Fuzzing: Does Scorecard accept custom fuzzers?](#fuzzing-does-scorecard-accept-custom-fuzzers) + - [Pinned-Dependencies: Will Scorecard detect unpinned dependencies in tests with Dockerfiles?](#pinned-dependencies-will-scorecard-detect-unpinned-dependencies-in-tests-with-dockerfiles) - [Pinned-Dependencies: Can I use version pinning instead of hash pinning?](#pinned-dependencies-can-i-use-version-pinning-instead-of-hash-pinning) - [Signed-Releases: Why sign releases?](#signed-releases-why-sign-releases) @@ -22,7 +23,7 @@ This page answers frequently asked questions about Scorecards, including its pur Yes. -Over a million projects are automatically tracked by the Scorecards project. These projects' scores can be seen at https://api.securityscorecards.dev/projects/github.com//. +Over a million projects are automatically tracked by the Scorecard project. These projects' scores can be seen at https://api.securityscorecards.dev/projects/github.com//. You can also use the CLI to generate scores for any public repository by following these steps: @@ -30,17 +31,21 @@ You can also use the CLI to generate scores for any public repository by followi 2. [Authentication](https://github.com/ossf/scorecard#authentication) 3. [Basic Usage](https://github.com/ossf/scorecard#basic-usage) -### What is the difference between Scorecards and other Code Scanning tools? +### What is the difference between Scorecard and other Code Scanning tools? -Most code scanning tools are focused on detecting specific vulnerabilities already existing in your codebase. Scorecards, however, is focused on improving the project's overall security posture by helping it adopt best practices. The best solution for your project may well be to adopt Scorecards along with other tools! +Most code scanning tools are focused on detecting specific vulnerabilities already existing in your codebase. Scorecard, however, is focused on improving the project's overall security posture by helping it adopt best practices. The best solution for your project may well be to adopt Scorecard along with other tools! + +### Wasn't this project called "Scorecards" (plural)? + +Yes, kind of. The project was initially called "Security Scorecards" but that form wasn't used consistently. In particular, the repo was named "scorecard" and so was the program. Over time people started referring to either form (singular and plural) and the inconsitency became prevalent. To end this situation the decision was made to consolidate over the use of the singular form in keeping with the repo and program name, drop the "Security" part and use "OpenSSF" instead to ensure uniqueness. One should therefore refer to this project as "OpenSSF Scorecard" or "Scorecard" for short. ## Check-specific Questions ### Binary-Artifacts: Can I allowlist testing artifacts? -Scorecards lowers projects' scores whenever it detects binary artifacts. However, many projects use binary artifacts strictly for testing purposes. +Scorecard lowers projects' scores whenever it detects binary artifacts. However, many projects use binary artifacts strictly for testing purposes. -While it isn't currently possible to allowlist such binaries, the Scorecards team is working on this feature ([#1270](https://github.com/ossf/scorecard/issues/1270)). +While it isn't currently possible to allowlist such binaries, the Scorecard team is working on this feature ([#1270](https://github.com/ossf/scorecard/issues/1270)). ### Code-Review: Can it ignore bot commits? @@ -49,17 +54,17 @@ This is quite a complex question. Right now, there is no way to do that. Here ar - Pros: Some bots run very frequently; for some projects, reviewing every change is therefore not feasible or reasonable. - Cons: Bots can be compromised (their credentials can be compromised, for example). Or if commits are not signed, an attacker could easily send a commit spoofing the bot. This means that a bot having unsupervised write access to the repository could be a security risk. -However, this is being discussed by the Scorecards Team ([#2302](https://github.com/ossf/scorecard/issues/2302)). +However, this is being discussed by the Scorecard Team ([#2302](https://github.com/ossf/scorecard/issues/2302)). -### Fuzzing: Does Scorecards accept custom fuzzers? +### Fuzzing: Does Scorecard accept custom fuzzers? Currently only for projects written in Go. For more information, see the [Fuzzing check description](https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing). -### Pinned-Dependencies: Will Scorecards detect unpinned dependencies in tests with Dockerfiles? +### Pinned-Dependencies: Will Scorecard detect unpinned dependencies in tests with Dockerfiles? -Scorecards can show the dependencies that are referred to in tests like Dockerfiles, so it could be a great way for you to fix those dependencies and avoid the vulnerabilities related to version pinning dependencies. To see more about the benefits of hash pinning instead of version pinning, please see the [Pinned-Dependencies check description](/checks.md#pinned-dependencies) +Scorecard can show the dependencies that are referred to in tests like Dockerfiles, so it could be a great way for you to fix those dependencies and avoid the vulnerabilities related to version pinning dependencies. To see more about the benefits of hash pinning instead of version pinning, please see the [Pinned-Dependencies check description](/checks.md#pinned-dependencies) ### Pinned-Dependencies: Can I use version pinning instead of hash pinning? Version pinning is a significant improvement over not pinning your dependencies. However, it still leaves your project vulnerable to tag-renaming attacks (where a dependency's tags are deleted and recreated to point to a malicious commit). @@ -74,4 +79,4 @@ Currently, the main benefit of [signed releases](/checks.md#signed-releases) is However, there are already moves to make it even more relevant. For example, the OpenSSF is working on [implementing signature verification for NPM packages](https://github.blog/2022-08-08-new-request-for-comments-on-improving-npm-security-with-sigstore-is-now-open/) which would allow a consumer to automatically verify if the package they are downloading was generated through a reliable builder and if it is correctly signed. -Signing releases already has some relevance and it will soon offer even more security benefits for both consumers and maintainers. \ No newline at end of file +Signing releases already has some relevance and it will soon offer even more security benefits for both consumers and maintainers. diff --git a/pkg/scorecard.go b/pkg/scorecard.go index 5563e5d1..e8ffb05c 100644 --- a/pkg/scorecard.go +++ b/pkg/scorecard.go @@ -80,8 +80,8 @@ func getRepoCommitHash(r clients.RepoClient) (string, error) { return "", nil } -// RunScorecards runs enabled Scorecard checks on a Repo. -func RunScorecards(ctx context.Context, +// RunScorecard runs enabled Scorecard checks on a Repo. +func RunScorecard(ctx context.Context, repo clients.Repo, commitSHA string, commitDepth int, diff --git a/pkg/scorecard_test.go b/pkg/scorecard_test.go index 74b9ddd0..bd3a45f3 100644 --- a/pkg/scorecard_test.go +++ b/pkg/scorecard_test.go @@ -118,7 +118,7 @@ func Test_getRepoCommitHashLocal(t *testing.T) { } } -func TestRunScorecards(t *testing.T) { +func TestRunScorecard(t *testing.T) { t.Parallel() type args struct { commitSHA string @@ -163,13 +163,13 @@ func TestRunScorecards(t *testing.T) { }, nil }) defer ctrl.Finish() - got, err := RunScorecards(context.Background(), repo, tt.args.commitSHA, 0, nil, mockRepoClient, nil, nil, nil) + got, err := RunScorecard(context.Background(), repo, tt.args.commitSHA, 0, nil, mockRepoClient, nil, nil, nil) if (err != nil) != tt.wantErr { - t.Errorf("RunScorecards() error = %v, wantErr %v", err, tt.wantErr) + t.Errorf("RunScorecard() error = %v, wantErr %v", err, tt.wantErr) return } if !reflect.DeepEqual(got, tt.want) { - t.Errorf("RunScorecards() got = %v, want %v", got, tt.want) + t.Errorf("RunScorecard() got = %v, want %v", got, tt.want) } }) }