search

ossf / scorecard-monitor

Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts
https://github.com/marketplace/actions/openssf-scorecard-monitor
Apache License 2.0
32 stars 13 forks source link

Option to switch from `https://deps.dev/` to `https://api.securityscorecards.dev/` #44

Open rajbos opened 1 year ago

rajbos commented 1 year ago

My scores live at api.securityscorecards.dev (for example: link) and not at https://deps.dev, since that is where I push the data to (as indicated by the OSSF scorecard action).

I'd be happy to help add that config if you want.

UlisesGascon commented 1 year ago

This is a tricky request. I assume that most users expect to see results in a UI format with deps.dev, but sometimes the results do not appear correctly.

For example, https://deps.dev/project/github/onebeyond%2Fsystemic-knex should work, but as the repository was migrated from another organization, it seems that the change was not properly reflected. However, the API is working fine at https://api.securityscorecards.dev/projects/github.com/onebeyond/systemic-knex. I believe this is a bug.

I would appreciate feedback on the differences between api.securityscorecards.dev and https://deps.dev/ before we proceed (cc: @gabibguti @naveensrinivasan).

I see two possible solutions from this discussion:

  1. We can add another column with the API link if an optional tag is available, such as include-api-links=true.
  2. We can replace the content in the report column if the optional tag is available, such as use-api-links=true.

Side note: I think having too many columns at the end will look bad (markdown table), so we may need to find another way to control the columns to show (but this will require thorough testing).

naveensrinivasan commented 1 year ago

My scores live at api.securityscorecards.dev (for example: link) and not at https://deps.dev, since that is where I push the data to (as indicated by the OSSF scorecard action).

I'd be happy to help add that config if you want.

deps.dev is a consumer of OpenSSF Scorecard data, and it is not part of the OpenSSF scorecard

rajbos commented 1 year ago

I know, but since I push my data to OpenSSF, I see no data in deps.dev for my repos?

UlisesGascon commented 1 year ago

Now it is more clear for me. Thanks @rajbos!

So... I am thinking that maybe we can add another column with the API link if an optional tag is available, such as include-ossf-api-links=true and disable the report column optionally by using include-deps-dev-links=false.

I believe this will cover the new use case and it is not a breaking change to any current user. What do you think @rajbos?

I know, but since I push my data to OpenSSF, I see no data in deps.dev for my repos?

I believe this is more related on how the data is consumed and sync in deps.dev, maybe you can crate an issue in their project or ask support 🤔

KoolTheba commented 1 year ago

I'll implement the optional tags as described at https://github.com/UlisesGascon/openssf-scorecard-monitor/issues/44#issuecomment-1479046131

rajbos commented 1 year ago

I was thinking to use this action against an internal GitHub Enterprise Server (GHES) and then we will host the api.securityscorecards.dev somewhere internally on a Docker setup (already have that running). Can we please make the url configurable, instead of a boolean?

UlisesGascon commented 1 year ago

I was thinking to use this action against an internal GitHub Enterprise Server (GHES) and then we will host the api.securityscorecards.dev somewhere internally on a Docker setup (already have that running). Can we please make the url configurable, instead of a boolean?

@rajbos I moved the discussion to https://github.com/UlisesGascon/openssf-scorecard-monitor/issues/52, as I think that it can be considered as a separated feature 😉