- What Is Scorecards?
- What Is scorecarddata?
- Why should I use this over running the scorecard CLI?
- What does Scorecarddata do?
- How do I run scorecarddata?
- What are the prerequisites to run this?
- Can I get additional checks other than the default?
- What are the results from the tool look like?
- Can I use this in CI and exclude results that I think are false positives?
- Using it as a server
We created Scorecards to give consumers of open-source projects an easy way to judge whether their dependencies are safe.
Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.
https://github.com/ossf/scorecard#what-is-scorecards
Scorecardsdata is a tool that will parse the go.mod/go.sum
project dependencies and fetches the scorecard data for its dependencies.
It uses the Google Bigquery data https://github.com/ossf/scorecard#public-data`openssf:scorecardcron.scorecard-v2_latest` to fetch the results.
The scorecard CLI would take time to fetch hundreds of repositories, and the GitHub's API will be throttled. This project helps solve the problem by bringing the data from the BigQuery table, which scorecard runs as part of a weekly cron job.
- parses go.mod/go.sum for your project
- get the dependecies github URL's
- use the above dependencies to filter the data from Bigquery which scorecard cron jobs updates every week.
- export the results as json
scorecarddata go -m /home/sammy/go/src/github.com/naveensrinivasan/kubernetes --GOOGLE_CLOUD_PROJECT openssf| jq
- Google cloud account
- https://cloud.google.com/bigquery/public-data
Yes, these are options within command line.
./scorecarddata --help
scorecarddata uses the scorecard bigquery to fetch results for dependecies.
Usage:
scorecarddata [flags]
scorecarddata [command]
Available Commands:
completion generate the autocompletion script for the specified shell
go Parses go.mod dependecies and fetches the data from scorecard bigquery for those repositories.
help Help about any command
server A brief description of your command
Flags:
--GOOGLE_CLOUD_PROJECT string The ENV variable that will be used in the BigQuery for querying.
--config string config file (default is $HOME/.scorecarddata.yaml)
--exclusions-file string A file with exclusions comma separated by check and value. Example Code-Review,github.com/ossf/scorecard
-h, --help help for scorecarddata
--scorecard_checks stringArray The scorecard checks to filter by.Example CI-Tests,Binary-Artifacts etc.https://github.com/ossf/scorecard/blob/main/docs/checks.md (default [Code-Review,Branch-Protection,Pinned-Dependencies,Dependency-Update-Tool,Fuzzing])
-t, --toggle Help message for toggle
Use "scorecarddata [command] --help" for more information about a command.
[
{
"Name": "github.com/containerd/ttrpc",
"Check": "Pinned-Dependencies",
"Score": 7,
"Details": "Warn: dependency not pinned by hash (job 'Run Protobuild'): .github/workflows/ci.yml:98",
"Reason": "dependency not pinned by hash detected -- score normalized to 7"
},
{
"Name": "github.com/kisielk/errcheck",
"Check": "Pinned-Dependencies",
"Score": 7,
"Details": "Info: Third-party actions are pinned",
"Reason": "dependency not pinned by hash detected -- score normalized to 7"
}
]
Yes, results can be excluded by providing an --exclusions-file
with check
and repository
Pinned-Dependencies,github.com/godbus/dbus
Pinned-Dependencies,github.com/kisielk/errcheck
scorecarddata go -m . --GOOGLE_CLOUD_PROJECT openssf --exclusions-file ./exclusions --scorecard_checks Pinned-Dependencies
The Scorecarddata can be used as a server to serve request for checks
and repositories
.
./scorecarddata server --GOOGLE_CLOUD_PROJECT openssf
This will start a HTTP
server in port 8080
.
This can be posted to the server to get results.
{
"repositories": [
"github.com/stretchr/objx"
],
"checks": [
"Pinned-Dependencies"
]
}
It is bash goo :face_palm: More on this explainshell
If you know how to parse the deps for other languages please do a PR. The interface that needs to be implemented is
scorecarddata/pkg/deps/deps.go
Line 3 in 70e7880