Skip to content

ossf/scorecard-webapp

OpenSSF Scorecard API and website

OpenSSF Scorecard Netlify Status

scorecard-webapp

Code for https://securityscorecards.dev (./scorecards-site) and https://api.securityscorecards.dev (./app).

The site is deployed on Netlify and the deployment configuration is in netlify.toml. Any changes committed to netlify.toml and scorecards-site/ on main branch gets automatically deployed to production. So please make sure to review deploy previews when making changes to the site.

The API uses OpenAPI spec and go-swagger to auto-generate server and client code. Any changes committed to openapi.yaml on the main branch gets deployed to the staging site only. To make changes to the production API, a new Git tag needs to be generated which will auto deploy the latest tag to production.

Release process

GitHub release

Cut a release for the project via the GitHub UX or by pushing a new tag.

TODO: automate these steps

Any updates made to openapi.yaml needs to be deployed onto Google Cloud Endpoints. To do that, follow these steps:

$ gcloud auth login
$ gcloud endpoints services deploy openapi.yaml --project openssf --quiet --format=json > /tmp/gcloud.json
$ wget https://raw.githubusercontent.com/GoogleCloudPlatform/esp-v2/master/docker/serverless/gcloud_build_image \
   --output-document=/tmp/gcloud_build_image
$ chmod +x /tmp/gcloud_build_image
$ /tmp/gcloud_build_image -c $(cat /tmp/gcloud.json | jq -r .serviceConfig.id) \
   -s $(cat /tmp/gcloud.json | jq -r .serviceConfig.name) \
   -p openssf -z us
$ gcloud run deploy scorecard-endpoints-prod \
   --image=<image-from-above-step> \
   --project=openssf
   # For region prompt, choose us-central1.