scorecard-dependencyanalysis

command module
v0.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 31, 2023 License: Apache-2.0 Imports: 11 Imported by: 0

README

OpenSSF Scorecard Dependency Analysis

This repository contains the source code for the OpenSSF Dependency Analysis project. The aim of the project is to check the security posture of a project's dependencies using the GitHub Dependency Graph API and the Security Scorecards API.

Usage

The OpenSSF Dependency Analysis is a GitHub Action that can be easily incorporated into a workflow. The workflow can be triggered on a pull request event. The action will run on the latest commit on the default branch of the repository, and will create a comment on the pull request with the results of the analysis. An example of the comment can be found here.

Prerequisites

The actions require enabling the GitHub Dependency Review for the repository.

Configuration

The action can be configured using the following inputs:

  • SCORECARD_CHECKS: This environment variable takes a file containing a list of checks to run.
  • The file should be in JSON format and follow the format provided by the Scorecard checks documentation. For example:
[
  "Binary-Artifacts",
  "Pinned-Dependencies"
] 
Installation

The action can be installed by adding the following snippet to the workflow file:

name: scorecard-dependency-analysis

on:
  pull_request:
    types: [opened, synchronize, reopened]
permissions:
  pull-requests: write # Required to create a comment on the pull request.

jobs:
  dependency-analysis:
    name: Scorecards dependency analysis
    runs-on: ubuntu-latest
    env:
      GITHUB_PR_NUMBER: ${{ github.event.number }}
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      GITHUB_REPOSITORY: ${{ github.repository }}
      GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
      GITHUB_SHA: ${{ github.sha }}
      GITHUB_ACTOR: ${{ github.actor }}


    steps:
      - name: Checkout code
        uses: actions/checkout@v2
        with:
          persist-credentials: false

      - name: Run dependency analysis
        uses: ossf/scorecard-action/dependency-analysis@main # Replace with the latest release version.

Documentation

Overview

Copyright 2023 OpenSSF Authors

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

SPDX-License-Identifier: Apache-2.0

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL