[deps] add scorecard info in external dep table

[asraa]

Signed-off-by: Asra Ali [email protected]

Commit Message: Adds scorecard evaluation into the external dependency documentation.
Additional Description:

• OSSF Scorecards (https://github.com/ossf/scorecard) is a project that can be used to evaluate health metrics for dependencies.
• We currently use it in evaluating new dependencies: dependencies: automated OSSF Scorecard runs for Envoy deps. #14191
• Now we can add scorecard info in our external dependency documentation during CI doc generation because OSSF Scorecard now publishes 100k repos' scorecard data, so we don't need to run Scorecards with an auth token to generate the results https://github.com/ossf/scorecard#public-data

Risk Level: Low
Testing: Generated docs
Docs Changes: This is it.
[Optional Fixes #Issue] Related to #10471

I'm still working on formatting the output nicely inside the table, rendering newlines through sphinx in the csv table text has been a pain, but I think I will figure it out soon.

[repokitteh-read-only]

CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).

🐱

Caused by: #17206 was opened by asraa.

see: more, trace.

[moderation]

/lgtm deps

[phlax]

docs are rendered here

https://storage.googleapis.com/envoy-pr/17206/docs/index.html

eg, relevant page is here

https://storage.googleapis.com/envoy-pr/d2c8f79/docs/intro/arch_overview/security/external_deps.html

[phlax]

@asraa it would be good to have some explanation or a link to get some context to the scorecard info

[htuch]

Yeah, looking at https://storage.googleapis.com/envoy-pr/d2c8f79/docs/intro/arch_overview/security/external_deps.html, I think the table is not making things super clear yet. We should have links from each criteria or a tool tip to what it is about. Also, the formatting needs some work. Maybe some color coding, table-in-table, whatever creative ideas folks have to make this easier for a human to parse as they scan down.

[htuch]

(FYI this PR is now 14 days stale)

[asraa]

We should have links from each criteria or a tool tip to what it is about.

What if instead of printing out the results (which I still can't figure out how to format properly through sphinx), I linked to the deps.dev links? e.g. https://deps.dev/go/github.com%2Fgrpc%2Fgrpc which embed the scorecard a lot nicer than I could?

[yanavlasov]

We should have links from each criteria or a tool tip to what it is about.

What if instead of printing out the results (which I still can't figure out how to format properly through sphinx), I linked to the deps.dev links? e.g. https://deps.dev/go/github.com%2Fgrpc%2Fgrpc which embed the scorecard a lot nicer than I could?

I think this could wort too.

[yanavlasov]

/wait

[github-actions]

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[github-actions]

This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!