Skip to content
This repository has been archived by the owner on Jun 10, 2024. It is now read-only.

Scorecard action for checking when new dependencies are added to the repository.

License

Notifications You must be signed in to change notification settings

ossf/scorecard-dependencyanalysis

Important

Update, June 2024: This repo is no longer maintained. Please use actions/dependency-review-action which can show Scorecard API data as of v4.2.3.

OpenSSF Scorecard Dependency Analysis

This repository contains the source code for the OpenSSF Dependency Analysis project. The aim of the project is to check the security posture of a project's dependencies using the GitHub Dependency Graph API and the Security Scorecards API.

Usage

The OpenSSF Dependency Analysis is a GitHub Action that can be easily incorporated into a workflow. The workflow can be triggered on a pull request event. The action will run on the latest commit on the default branch of the repository, and will create a comment on the pull request with the results of the analysis. An example of the comment can be found here.

Prerequisites

The actions require enabling the GitHub Dependency Review for the repository.

Configuration

The action can be configured using the following inputs:

  • SCORECARD_CHECKS: This environment variable takes a file containing a list of checks to run.
  • The file should be in JSON format and follow the format provided by the Scorecard checks documentation. For example:
[
  "Binary-Artifacts",
  "Pinned-Dependencies"
] 

Installation

The action can be installed by adding the following snippet to the workflow file:

name: scorecard-dependency-analysis

on:
  pull_request:
    types: [opened, synchronize, reopened]
permissions:
  pull-requests: write # Required to create a comment on the pull request.

jobs:
  dependency-analysis:
    name: Scorecards dependency analysis
    runs-on: ubuntu-latest
    env:
      GITHUB_PR_NUMBER: ${{ github.event.number }}
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      GITHUB_REPOSITORY: ${{ github.repository }}
      GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
      GITHUB_SHA: ${{ github.sha }}
      GITHUB_ACTOR: ${{ github.actor }}


    steps:
      - name: Checkout code
        uses: actions/checkout@v2
        with:
          persist-credentials: false

      - name: Run dependency analysis
        uses: ossf/scorecard-action/dependency-analysis@main # Replace with the latest release version.

About

Scorecard action for checking when new dependencies are added to the repository.

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages