Introduce OpenSSF Scorecard

UpstreamDataInc / goosebit

A simplistic, opinionated remote update server implementing hawkBit™'s DDI API.

https://goosebit.rtfd.io

Apache License 2.0

18 stars 5 forks source link

Introduce OpenSSF Scorecard #180

Closed rettichschnidi closed 1 week ago

rettichschnidi commented 1 week ago

This allows users to quickly assess the supply-chain security, as judged by the OpenSSF scorecard, of this project.

While the score is not yet great, this scorecard will help the project to implement sensible improvements.

Unfortunately, the action will run only once the PR has been merged, as the check refuses to work on anything other the main branch, master in this case. Let's review extra carefully! 🤞

To check out how the reporting will look like, have a look at my fork:

Scorecard: https://scorecard.dev/viewer/?uri=github.com/rettichschnidi/goosebit
Badge:

Alternatively, the checks can be run locally in CI:

docker run -e GITHUB_AUTH_TOKEN=<your GitHub PAT> gcr.io/openssf/scorecard:stable --show-details --repo=github.com/UpstreamDataInc/goosebit

The CLI actually tests this repository, instead of my fork. As a result, the resulting score is 5.6 and not 3.2.

b-rowan commented 1 week ago

Looks good to me, you may just want to run pre-commit install and pre-commit run --all-files just so you dont get the pre-commit warnings here.

rettichschnidi commented 1 week ago

Looks good to me, you may just want to run pre-commit install and pre-commit run --all-files just so you dont get the pre-commit warnings here.

Just passed CI without this, doing things manually. 😅

Problem is that form reading the readme, I am not clear how I would install prettier, etc. Seems to be available only via npm?

b-rowan commented 1 week ago

Looks good to me, you may just want to run pre-commit install and pre-commit run --all-files just so you dont get the pre-commit warnings here.

Just passed CI without this.

Problem is that form reading the readme, I am not clear how I would install prettier, etc. Seems to be available only via npm?

You don't have to, it is using a mirror that sets up an environment for you ;)

rettichschnidi commented 1 week ago

You don't have to, it is using a mirror that sets up an environment for you ;)

Oh, I'm bad at reading the readme... poetry install is key. 🙈

However, once done, for whatever reasons, pre-commit was no installed, even after running poetry install --with dev,docs,tests:

$ pre-commit run --all-files
bash: pre-commit: command not found

Resolve it by resorting to pipx (pipx install pre-commit).

b-rowan commented 1 week ago

You don't have to, it is using a mirror that sets up an environment for you ;)

For whatever reasons, pre-commit was no installed, even after running poetry install --with dev,docs,tests:
$ pre-commit run --all-files

bash: pre-commit: command not found
Resolve it by resorting to pipx (pipx install pre-commit).

You may need to run it with poetry (prefix with poetry run

rettichschnidi commented 1 week ago

You may need to run it with poetry (prefix with poetry run

This worked, thanks! -> #181