Skip to content
This repository has been archived by the owner on Jun 10, 2024. It is now read-only.
/ scorecard-dependencyanalysis Public archive
generated from ossf/project-template

Scorecard action for checking when new dependencies are added to the repository.

License

Apache-2.0 license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ossf/scorecard-dependencyanalysis

4 Branches1 Tag

Folders and files

NameName
Last commit message
Last commit date

Latest commit

spencerschrockspencerschrock
Add archive notice to README.md (#23)
Jun 8, 2024
14aa7b1 Â· Jun 8, 2024

History

34 Commits
.github
.github
Jan 14, 2024
CHARTER.md
CHARTER.md
May 30, 2023
Dockerfile
Dockerfile
May 31, 2023
LICENSE
LICENSE
May 30, 2023
README.md
README.md
Jun 8, 2024
SECURITY.md
SECURITY.md
Aug 28, 2023
action.yaml
action.yaml
May 31, 2023
go.mod
go.mod
Jan 9, 2024
go.sum
go.sum
Jan 9, 2024
main.go
main.go
Jun 7, 2023
main_test.go
main_test.go
May 31, 2023
types.go
types.go
May 31, 2023

Repository files navigation

Important

Update, June 2024: This repo is no longer maintained. Please use actions/dependency-review-action which can show Scorecard API data as of v4.2.3.

OpenSSF Scorecard Dependency Analysis

This repository contains the source code for the OpenSSF Dependency Analysis project. The aim of the project is to check the security posture of a project's dependencies using the GitHub Dependency Graph API and the Security Scorecards API.

Usage

The OpenSSF Dependency Analysis is a GitHub Action that can be easily incorporated into a workflow. The workflow can be triggered on a pull request event. The action will run on the latest commit on the default branch of the repository, and will create a comment on the pull request with the results of the analysis. An example of the comment can be found here.

Prerequisites

The actions require enabling the GitHub Dependency Review for the repository.

Configuration

The action can be configured using the following inputs:

  • SCORECARD_CHECKS: This environment variable takes a file containing a list of checks to run.
  • The file should be in JSON format and follow the format provided by the Scorecard checks documentation. For example:
[
  "Binary-Artifacts",
  "Pinned-Dependencies"
]

Installation

The action can be installed by adding the following snippet to the workflow file:

name: scorecard-dependency-analysis

on:
  pull_request:
    types: [opened, synchronize, reopened]
permissions:
  pull-requests: write # Required to create a comment on the pull request.

jobs:
  dependency-analysis:
    name: Scorecards dependency analysis
    runs-on: ubuntu-latest
    env:
      GITHUB_PR_NUMBER: ${{ github.event.number }}
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      GITHUB_REPOSITORY: ${{ github.repository }}
      GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
      GITHUB_SHA: ${{ github.sha }}
      GITHUB_ACTOR: ${{ github.actor }}


    steps:
      - name: Checkout code
        uses: actions/checkout@v2
        with:
          persist-credentials: false

      - name: Run dependency analysis
        uses: ossf/scorecard-action/dependency-analysis@main # Replace with the latest release version.

About

Scorecard action for checking when new dependencies are added to the repository.

Topics

openssf-scorecard

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

2 stars

Watchers

7 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages 1

Contributors 5

Languages