Thank you for contributing your time and expertise to the Security Scorecards project. This document describes the contribution guidelines for the project.
Note: Before you start contributing, you must read and abide by our Code of Conduct.
- Contributing code
- Contributing steps
- Error handling
- How to build scorecard locally
- PR Process
- What to do before submitting a pull request
- Permission for GitHub personal access tokens
- Where the CI Tests are configured
- dailyscore-cronjob
- How do I add additional GitHub repositories to be scanned by scorecard dailyscore?
- Adding New Checks
- Create a GitHub account
- Create a personal access token
- Set up your development environment
You must install these tools:
- Submit an issue describing your proposed change to the repo in question.
- The repo owners will respond to your issue promptly.
- Fork the desired repo, develop and test your code changes.
- Submit a pull request.
See [errors/errors.md].
Note that, by building the scorecard from the source code we are allowed to test the changes made locally.
- Run the following command to clone your fork of the project locally
git clone [email protected]:<user>/scorecard.git $GOPATH/src/github.com/<user>/scorecard.git
- Ensure you activate module support before continue (
$ export GO111MODULE=on
) - Run the command
make build
to build the source code
Every PR should be annotated with an icon indicating whether it's a:
- Breaking change:
⚠️ (:warning:
) - Non-breaking feature: ✨ (
:sparkles:
) - Patch fix: 🐛 (
:bug:
) - Docs: 📖 (
:book:
) - Infra/Tests/Other: 🌱 (
:seedling:
) - No release note: 👻 (
:ghost:
)
Use 👻 (no release note) only for the PRs that change or revert unreleased changes, which don't deserve a release note. Please don't abuse it.
You can also use the equivalent emoji directly, since GitHub doesn't render the
:xyz:
aliases in PR titles.
Individual commits should not be tagged separately, but will generally be assumed to match the PR. For instance, if you have a bugfix in with a breaking change, it's generally encouraged to submit the bugfix separately, but if you must put them in one PR, you should mark the whole PR as breaking.
Following the targets that can be used to test your changes locally.
Command | Description | Is called in the CI? |
---|---|---|
make all | Runs go test,golangci lint checks, fmt, go mod tidy | yes |
make e2e | Runs e2e tests | yes |
The personal access token need the following scopes:
repo:status
- Access commit statusrepo_deployment
- Access deployment statuspublic_repo
- Access public repositories
- See the action files to check its tests, and the scripts used on it.
scorecard scans https://github.com/ossf/scorecard/blob/main/cron/projects.txt
repositories in GCP k8s and publishes the results in GCS bucket
ossf-scorecards
.
The cron
definition ./scorecard/cron/cron.sh and the k8s
for the cron
is
in ./scorecard/cron/k8s/cron.yaml
The logs for the cron are available at https://console.cloud.google.com/kubernetes/cronjob/us-central1-c/openssf/default/daily-score/logs?project=openssf
The cronjob can be deployed into k8s by running kubectl apply -f ./scorecard/cron/k8s/cron.yaml
. This will deploy a k8s cron job.
Any updates to the ./scorecard/cron/cron.sh will be deployed by the docker container ./scorecard/Dockerfile.gsutil
Scorecard maintains the list of repositories in a file https://github.com/ossf/scorecard/blob/main/cron/projects.txt
Submit a PR for this file and scorecard would start scanning in subsequent runs.
See checks/write.md.
The docs need to be updated for the checks. A summary needs to be included in the README.md and also /checks/checks.yaml and checks/checks.md needs to be updated.
The /checks/checks.md is auto generated by running ./checks/main/main.go
Currently only one set of checks can be run. In the future, we'll allow declaring multiple suites and configuring which checks get run.