mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-11 08:55:27 +03:00
Validate checks and improve docs.
This commit is contained in:
parent
b24adb5eb3
commit
dbcfdfa0af
13
.gitignore
vendored
13
.gitignore
vendored
@ -1,15 +1,20 @@
|
||||
# Binaries for programs and plugins
|
||||
# Scorecard binary.
|
||||
scorecard
|
||||
|
||||
# Binaries for programs and plugins.
|
||||
*.exe
|
||||
*.exe~
|
||||
*.dll
|
||||
*.so
|
||||
*.dylib
|
||||
|
||||
# Test binary, built with `go test -c`
|
||||
# Test binary, built with `go test -c`.
|
||||
*.test
|
||||
|
||||
# Output of the go coverage tool, specifically when used with LiteIDE
|
||||
# Output of the go coverage tool, specifically when used with LiteIDE.
|
||||
*.out
|
||||
|
||||
# IDE directories
|
||||
# IDE directories.
|
||||
.vscode/
|
||||
*.iml
|
||||
|
||||
|
56
README.md
56
README.md
@ -14,40 +14,51 @@ A short motivational video clip to inspire us: https://youtu.be/rDMMYT3vkTk "You
|
||||
The program only requires one argument to run, the name of the repo:
|
||||
|
||||
```shell
|
||||
$ scorecards --repo=github.com/kubernetes/kubernetes
|
||||
2020/10/09 10:25:12 Starting [Code-Review]
|
||||
2020/10/09 10:25:12 Starting [Contributors]
|
||||
2020/10/09 10:25:12 Starting [Frozen-Deps]
|
||||
2020/10/09 10:25:12 Starting [Signed-Releases]
|
||||
2020/10/09 10:25:12 Starting [Security-MD]
|
||||
2020/10/09 10:25:12 Starting [Signed-Tags]
|
||||
2020/10/09 10:25:12 Starting [CI-Tests]
|
||||
2020/10/09 10:25:12 Finished [Security-MD]
|
||||
2020/10/09 10:25:14 Finished [Contributors]
|
||||
2020/10/09 10:25:16 Finished [Signed-Tags]
|
||||
2020/10/09 10:25:16 Finished [Signed-Releases]
|
||||
2020/10/09 10:25:25 Finished [Code-Review]
|
||||
2020/10/09 10:25:28 Finished [CI-Tests]
|
||||
2020/10/09 10:25:38 Finished [Frozen-Deps]
|
||||
$ go build
|
||||
$ ./scorecard --repo=github.com/kubernetes/kubernetes
|
||||
Starting [CII-Best-Practices]
|
||||
Starting [Code-Review]
|
||||
Starting [Contributors]
|
||||
Starting [Frozen-Deps]
|
||||
Starting [Fuzzing]
|
||||
Starting [PullRequests]
|
||||
Starting [Signed-Releases]
|
||||
Starting [Security-Policy]
|
||||
Starting [Signed-Tags]
|
||||
Starting [CI-Tests]
|
||||
Finished [Fuzzing]
|
||||
Finished [CII-Best-Practices]
|
||||
Finished [Frozen-Deps]
|
||||
Finished [Security-Policy]
|
||||
Finished [Contributors]
|
||||
Finished [CI-Tests]
|
||||
Finished [Code-Review]
|
||||
Finished [PullRequests]
|
||||
Finished [Signed-Tags]
|
||||
Finished [Signed-Releases]
|
||||
|
||||
RESULTS
|
||||
-------
|
||||
CI-Tests true 10
|
||||
Code-Review true 10
|
||||
CI-Tests false 0
|
||||
CII-Best-Practices true 10
|
||||
Code-Review false 9
|
||||
Contributors true 10
|
||||
Frozen-Deps true 10
|
||||
Security-MD true 10
|
||||
Fuzzing true 10
|
||||
PullRequests true 9
|
||||
Security-Policy true 10
|
||||
Signed-Releases false 0
|
||||
Signed-Tags false 7
|
||||
```
|
||||
|
||||
You'll probably also need to set an Oauth token to avoid rate limits.
|
||||
You can create a personal access token by following these steps: https://docs.github.com/en/free-pro-team@latest/developers/apps/about-apps#personal-access-tokens
|
||||
It is recommended to use an OAuth token to avoid rate limits.
|
||||
You can create one by the following the instructions
|
||||
[here](https://docs.github.com/en/free-pro-team@latest/developers/apps/about-apps#personal-access-tokens).
|
||||
|
||||
Set that as an environment variable:
|
||||
|
||||
```shell
|
||||
export GITHUB_AUTH_TOKEN=<your token>
|
||||
export GITHUB_AUTH_TOKEN=<your access token>
|
||||
```
|
||||
|
||||
## Checks
|
||||
@ -68,6 +79,8 @@ The following checks are all run against the target project:
|
||||
| Fuzzing | Does the project use OSS Fuzz? |
|
||||
|
||||
To see detailed information on how each check works, see the check-specific documentation pages.
|
||||
To use a particular check, add the `--checks` argument with a list of check
|
||||
names (for example `--checks=CI-Tests,Code-Review`).
|
||||
|
||||
If you'd like to add a check, make sure it is something that meets the following criteria:
|
||||
* automate-able
|
||||
@ -85,7 +98,6 @@ A confidence of 10 indicates the check is completely sure of the result.
|
||||
|
||||
Many of the checks are based on heuristics, contributions are welcome to improve the detection!
|
||||
|
||||
|
||||
### Requirements
|
||||
* The scorecard must only be composed of automate-able, objective data. For example, a project having 10 contributors doesn’t necessarily mean it’s more secure than a project with say 50 contributors. But, having two maintainers might be preferable to only having one - the larger bus factor and ability to provide code reviews is objectively better.
|
||||
* The scorecard criteria can be as specific as possible and not limited general recommendations. For example, for Go, we can recommend/require specific linters and analyzers to be run on the codebase.
|
||||
|
19
main.go
19
main.go
@ -27,6 +27,18 @@ type result struct {
|
||||
name string
|
||||
}
|
||||
|
||||
func stringInListOrEmpty(s string, list []string) bool {
|
||||
if len(list) == 0 {
|
||||
return true
|
||||
}
|
||||
for _, le := range list {
|
||||
if le == s {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func main() {
|
||||
flag.Parse()
|
||||
cfg := zap.NewProductionConfig()
|
||||
@ -67,8 +79,15 @@ func main() {
|
||||
|
||||
resultsCh := make(chan result)
|
||||
wg := sync.WaitGroup{}
|
||||
checksToRunList := []string{}
|
||||
if len(*checksToRun) > 0 {
|
||||
checksToRunList = strings.Split(*checksToRun, ",")
|
||||
}
|
||||
for _, check := range checks.AllChecks {
|
||||
check := check
|
||||
if !stringInListOrEmpty(check.Name, checksToRunList) {
|
||||
continue
|
||||
}
|
||||
wg.Add(1)
|
||||
fmt.Fprintf(os.Stderr, "Starting [%s]\n", check.Name)
|
||||
go func() {
|
||||
|
Loading…
Reference in New Issue
Block a user