Private Repositories

[robintemme]

I am missing the possibility to check private GitHub repositories on goreportcard.com. Am I not seeing something or does it just not work (yet)?

[shawnps]

@zwerch unfortunately this isn't available right now. @hermanschaaf and I have discussed it before, but we've put it off for a few reasons:

• It's probably going to take us a while to build
• Security implications (we go get repos right now, which stores them on disk. We'd want to be extra careful about private repos)
• We don't know how many people want it. You count of course, and maybe 2 or 3 other people have asked us for it

We'll leave this open for others to comment on if it's something they want, and if enough people request it we'll probably end up building it.

Thanks!

[wangkirin]

@shawnps I have similar requirements ,but not for the private GitHub repositories. We want to run goreportcard in our local network , and check repos from private git server (like gitlab or phabricator) , the question is , if we want to go get the repo , we need enter the username and password

[shawnps]

@wangkirin ah, that is an interesting use case, thanks for bringing that up. I wonder if we could sort that out with setting a username/pw as environment variables or something like that?

[wangkirin]

@shawnps
Yes, that's what I mean.: )

[ghost]

Concerning the username/password stuff, doesn't GitLab or whatever other platform installed locally have something similar to Github's deploy keys? If you configure them on your server go get will work flawlessly, right? Or am I missing something? Clear text password doesn't seem like a secure option to me.

[Nalum]

Running my own instance of goreportcard to check private repos is something I'm interested in.

[Archosian]

Also using private repositories. In order to use go get on them we've used git config --global url."git@private.local:".insteadOf "https://private.local/", which lets go get use the deploy keys we set up. This is on a gitlab repository. Could there be some project level configuration that is overwriting the global? Obviously interested in private repos as well.

[franzwilhelm]

@shawnps Any update on this issue?

[shawnps]

Hi @franzwilhelm and anyone else interested in this,

From the thumbs up reactions on @Nalum's comment it looks like quite a few people are interested in running their own instance of GRC to check private repos. I'll start to think about it. There are a few things I imagine I'll need to consider:

• GitHub Enterprise support
• Non-GitHub private repos like @Archosian mentioned
• Probably most common: go get private GitHub repo

On top of this we might be able to offer the ability to check private repos on goreportcard.com for people who don't want to run their own instance internally.

The first thing I'll probably try to do is add the ability for people to run their own instance to check private GitHub repos.

And of course I'm open to help/feedback from anyone who feels like contributing.

[Nalum]

I was able to use this locally on my private repos. Setting the insteadof git config did the trick. Haven't tested a remote setup yet, but I assume that with a valid deploy key will work.

I tested it with GitLab.com private repos.

[danlg]

@nalum did you manage to make it work with a remote private repo?

[Nalum]

I haven't had time to check. As soon as I do I'll let you know.

[aweisser]

Any updates on this? I'd love to see that feature for gerrit and gitlab.

[melvinodsa]

I tested the method @Archosian mentioned. Its working. :smile: I am thinking about adding an oAuth module infornt of this tool, which will enable my gitlab or other private repo users to access tool and yet the tool is not open source. Any suggestions?

[nikogura]

The following Dockerfile will let you run against a private gitlab with a self signed certificate. It's basically just the goreportcard dockerfile rearranged and with the key and git config stuff added.

    FROM golang:1.8-alpine

    # SSH key for getting code
    ARG SSH_KEY

    # hostname for internal github/gitlab server
    ARG GIT_HOST

    # most of this is verbatim from the project.  openssl is added
    RUN apk update && apk upgrade && apk add --no-cache git make openssl openssh

    # trust repo's self signed cert
    RUN echo | openssl s_client -showcerts -servername $GIT_HOST -connect $GIT_HOST:443 2>&1 | sed -ne '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > /usr/local/share/ca-certificates/$GIT_HOST.pem && update-ca-certificates

    # stage ssh key and accept repos's host key
    RUN mkdir -p /root/.ssh && chmod 700 /root/.ssh && echo "$SSH_KEY" > /root/.ssh/id_rsa && chmod 600 /root/.ssh/id_rsa && ssh-keyscan -H $GIT_HOST > /root/.ssh/known_hosts

    # configure git to use ssh over https
    RUN git config --global url.git@$GIT_HOST:.insteadOf https://$GIT_HOST/

    # Install app dependencies
    RUN go get github.com/gojp/goreportcard && go get golang.org/x/tools/go/vcs

    RUN /go/src/github.com/gojp/goreportcard/scripts/make-install.sh

    WORKDIR $GOPATH/src/github.com/gojp/goreportcard

    EXPOSE 8000

    CMD ["make", "start"]`

Build with: docker build --build-arg SSH_KEY="$SSH_KEY" --build-arg GIT_HOST=<your git host> .

[dAnjou]

134 can be a viable workaround for most use cases here.

[Southclaws]

If you don't need self signed certs or self hosted GitHub and don't want to bake SSH into the container, my solution was some quick modification to the Dockerfile:

RUN apk update && apk upgrade && apk add --no-cache git make openssh \
        && go get golang.org/x/tools/go/vcs \
        && ./scripts/make-install.sh \
        && git config --global url."git@github.com:".insteadOf "https://gojp:gojp@github.com/" \
        && mkdir /root/.ssh && echo "StrictHostKeyChecking no " > /root/.ssh/config

Then run with a passwordless SSH key mounted into the container at runtime: -v $(HOME)/.ssh/id_goreportcard_rsa:/root/.ssh/id_rsa.

Another, more long term alternative would be to replace Git command line calls with src-d/go-git and provide configuration for either basic auth or SSH via environment variables.

[thomasyuan]

We used self-hosted Gitlab, I think at least for self-hosted Gitlab, you needn't care about ssh key or certs at all. The runner itself will automatically do that for you.

My question is, is there an official docker image on dockerhub.com? At least I didn't find it. That will be all I need to run goreportcard for our private repo.

[Miouge1]

For the folks on GitLab, another option is to run goreportcard in CI, something like:

goreportcard:
  before_script:
  # Or build a custom docker image
   - curl -L https://git.io/vp6lP | sh
   - go get github.com/gojp/goreportcard/cmd/goreportcard-cli
  script:
   - goreportcard-cli -t 90 

[idefixcert]

In the productiongo book is stated: " You can try it on goreportcard.com if your source code is open source, or run the server locally to make use of the tool on your internal network or private repositories."

How ist that possible. I don't have gitlab, I have a simple git project?

[shawnps]

Hi @idefixcert,

It's possible to use the CLI on your git project:

https://github.com/gojp/goreportcard#command-line-interface

[tommyalatalo]

Has there been any further progress on something like a GRC docker container which can access a private Gitlab (or other) repo, so that you can set up links to the self-hosted reports in a browser?

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity.