ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-17 11:57:12 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
c62e667f7c
scorecard/CONTRIBUTING.md
naveen c62e667f7c Docs - Included instructions for deploying cron 
Included instructions for deployment of the k8s cron job for the daily
score.
2021-03-16 10:15:14 -04:00

4.7 KiB
Raw Blame History

Contributing to Security Scorecards

Thank you for contributing your time and expertise to the Security Scorecards project. This document describes the contribution guidelines for the project.

Note: Before you start contributing, you must read and abide by our Code of Conduct.

Contributing code

Getting started

  1. Create a GitHub account
  2. Create a personal access token
  3. Set up your development environment

Environment Setup

You must install these tools:

  1. git: For source control

  2. go: You need go version v1.16 or higher.

  3. docker: v18.9 or higher.

Contributing steps

  1. Submit an issue describing your proposed change to the repo in question.
  2. The repo owners will respond to your issue promptly.
  3. Fork the desired repo, develop and test your code changes.
  4. Submit a pull request.

How to build scorecard locally

Note that, by building the scorecard from the source code we are allowed to test the changes made locally.

  1. Run the following command to clone your fork of the project locally
git clone git@github.com:<user>/scorecard.git $GOPATH/src/github.com/<user>/scorecard.git
  1. Ensure you activate module support before continue ($ export GO111MODULE=on)
  2. Run the command make build to build the source code

What to do before submitting a pull request

Following the targets that can be used to test your changes locally.

Command Description Is called in the CI?
make all Runs go test,golangci lint checks, fmt, go mod tidy yes
make e2e Runs e2e tests yes

Permission for GitHub personal access tokens

The personal access token need the following scopes:

  • repo:status - Access commit status
  • repo_deployment - Access deployment status
  • public_repo - Access public repositories

Where the CI Tests are configured

  1. See the action files to check its tests, and the scripts used on it.

dailyscore-cronjob

scorecard scans https://github.com/ossf/scorecard/blob/main/cron/projects.txt repositories in GCP k8s and publishes the results in GCS bucket ossf-scorecards.

The cron definition ./scorecard/cron/cron.sh and the k8s for the cron is in ./scorecard/k8s/cron.yaml

The logs for the cron are available at https://console.cloud.google.com/kubernetes/cronjob/us-central1-c/openssf/default/daily-score/logs?project=openssf

Deploying the cron job

The cronjob can be deployed into k8s by running kubectl apply -f ./scorecard/k8s/cron.yaml. This will deploy a k8s cron job.

Any updates to the ./scorecard/cron/cron.sh will be deployed by the docker container ./scorecard/Dockerfile.gsutil

How do I add additional GitHub repositories to be scanned by scorecard dailyscore?

Scorecard maintains the list of repositories in a file https://github.com/ossf/scorecard/blob/main/cron/projects.txt

Submit a PR for this file and scorecard would start scanning in subsequent runs.

Adding New Checks

Each check is currently just a function of type CheckFn. The signature is:

type CheckFn func(c.Checker) CheckResult

Checks are registered in an init function:

	AllChecks = append(AllChecks, NamedCheck{
		Name: "Code-Review",
		Fn:   DoesCodeReview,
	})

Currently only one set of checks can be run. In the future, we'll allow declaring multiple suites and configuring which checks get run.