Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add gitlab openssf scorecards #26167

Closed
wants to merge 3 commits into from
Closed

feat: add gitlab openssf scorecards #26167

wants to merge 3 commits into from

Conversation

adam-moss
Copy link
Contributor

@adam-moss adam-moss commented Dec 6, 2023
edited
Loading

Changes

Adds OpenSSF scorecard reporting for GitLab.

Context

Adding following testing as part of #25125 (reply in thread)

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests but ran on a real repository, or
  • Both unit tests + ran on a real repository

@CLAassistant
Copy link

CLAassistant commented Dec 6, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@adam-moss
fix: prettier formatting
f366ce8 
Signed-off-by: Adam Moss <[email protected]>
@rarkins rarkins requested a review from secustor December 6, 2023 12:55
secustor
secustor requested changes Dec 6, 2023
View reviewed changes
lib/config/presets/internal/security.ts Outdated Show resolved Hide resolved
@adam-moss
Copy link
Contributor Author

Screenshot 2023-12-06 at 17 47 59

Tested against a private repository. Seems the OpenSSF api has a challenge with /group/subgroup/project urls. I wonder if there is something nicer we could do rather than having a broken image link?

Example:
https://gitlab.com/gitlab-org/ruby/gems/gitlab-triage
https://api.securityscorecards.dev/projects/gitlab.com/gitlab-org/ruby/gems/gitlab-triage/badge

@secustor
Copy link
Collaborator

secustor commented Dec 6, 2023

Looks like they do not support subrepos

https://github.com/ossf/scorecard-webapp/blob/f28966e9510138cce79c35d9d3e7a431276e8386/app/server/badge.go#L44

@adam-moss
Copy link
Contributor Author

Indeed, I have raised ossf/scorecard-webapp#511

@secustor secustor marked this pull request as draft December 8, 2023 11:15
@HonkingGoose HonkingGoose added the status:blocked Issue is blocked by another issue or external requirement label Mar 4, 2024
@rarkins
Copy link
Collaborator

rarkins commented Mar 18, 2024

What's the next step here?

@secustor
Copy link
Collaborator

It's not actionable by us right now and blocked by OSSF scorecards API server implementation

@rarkins
Copy link
Collaborator

rarkins commented Mar 19, 2024

OK, please feel free to reopen this as soon as it's actionable. We have 60+ open PRs right now so would like to close anything non-actionable and stalled.

@rarkins rarkins closed this Mar 19, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@secustor secustor secustor requested changes

Assignees
No one assigned
Labels
status:blocked Issue is blocked by another issue or external requirement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@adam-moss @CLAassistant @secustor @rarkins @HonkingGoose