Closed MartinPetkov closed 6 months ago
Hi Martin, Allstar supports running any scorecard check currently, see: https://github.com/ossf/allstar?tab=readme-ov-file#generic-scorecard-check
One thing that is not always clear is the name, for Pinned deps, it would be : https://github.com/ossf/scorecard/blob/main/checks/pinned_dependencies.go#L25C34-L25C53
I see, thank you! Sorry to ask, but could you give me an example of what the file would be named and what it would look like?
No problem
Single repo:
File in repo: .allstar/scorecard.yaml
optConfig:
optIn: true
action: issue
checks:
- Pinned-Dependencies
threshold: 7 # I'm not sure what the typical scores are for Pinned Deps
Or for a whole org:
File in .allstar repo: scorecard.yaml
optConfig:
optOutStrategy: true
action: issue
checks:
- Pinned-Dependencies
threshold: 7
Thank you, that's very helpful 🙂 I'll close this FR then.
I would find it useful if Allstar also supports checking for pinned dependencies.
I've taken a cursory look at the code and it looks doable, I think the main thing is adding a new file under the
policies/
directory implementing the check. Since it already exists in scorecards, the check would also be pretty simple, it would just call scorecards for the bulk of the logic.If the team is okay with adding this as a new feature, then I'm willing to try to implement it myself and contribute 🙂.