FR: Add a check for pinned dependencies

[MartinPetkov]

I would find it useful if Allstar also supports checking for pinned dependencies.

I've taken a cursory look at the code and it looks doable, I think the main thing is adding a new file under the policies/ directory implementing the check. Since it already exists in scorecards, the check would also be pretty simple, it would just call scorecards for the bulk of the logic.

If the team is okay with adding this as a new feature, then I'm willing to try to implement it myself and contribute 🙂.

[jeffmendoza]

Hi Martin, Allstar supports running any scorecard check currently, see: https://github.com/ossf/allstar?tab=readme-ov-file#generic-scorecard-check

One thing that is not always clear is the name, for Pinned deps, it would be : https://github.com/ossf/scorecard/blob/main/checks/pinned_dependencies.go#L25C34-L25C53

[MartinPetkov]

I see, thank you! Sorry to ask, but could you give me an example of what the file would be named and what it would look like?

[jeffmendoza]

No problem

Single repo: File in repo: .allstar/scorecard.yaml

optConfig:
  optIn: true
action: issue
checks:
- Pinned-Dependencies
threshold: 7 # I'm not sure what the typical scores are for Pinned Deps

Or for a whole org:

File in .allstar repo: scorecard.yaml

optConfig:
  optOutStrategy: true
action: issue
checks:
- Pinned-Dependencies
threshold: 7

[MartinPetkov]

Thank you, that's very helpful 🙂 I'll close this FR then.