GitHub Action
OpenSSF Scorecard Monitor
Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts.
If you're feeling overwhelmed by an avalanche of repository scorecards in your organization, you can breathe easy: Automation is here to make your life easier! It will streamline the process of keeping track of them all by providing a comprehensive report in Markdown and a local database in JSON with all the scores. Furthermore, to stay on top of any changes in the scores, you can choose to get notifications through Github Issues.
soon
- Reporting in Markdown with simply information and comparative against the prior score. Demo
- The reporting data is stored in json format (including previous records). Demo
- Generate an issue with the last changes in the scores, including links to the full report. Demo
- Easy to add/remove new repositories in scope from any github organization
- Debug supported
- Easy to use and great test coverage (soon)
Here is a demo repository that is using this Action
Sample Report
Sample Issue
Used BySoon
name: "OpenSSF Scoring"
on:
schedule:
- cron: "0 0 * * *"
permissions:
contents: write
pull-requests: none
issues: write
packages: none
jobs:
security-scoring:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: OpenSSF Scorecard Monitor
uses: UlisesGascon/[email protected]
with:
scope: reporting/scope.json
database: reporting/database.json
report: reporting/openssf-scorecard-report.md
auto-commit: true
auto-push: true
generate-issue: true
issue-title: "OpenSSF Scorecard Report Updated!"
github-token: ${{ secrets.GITHUB_TOKEN }}
max-request-in-parallel: 10
discovery-enabled: true
# As an example Awesome Org and Myself
discovery-orgs: 'UlisesGascon,Awesome'scope: defined the path to the file where the scope is defineddatabase: define the path to the json file usage to store the scores and comparereport: define the path where the markdown report will be added/updatedauto-commit: commit the changes in thedatabaseandreportfilesauto-push: push the code changes to the branchgenerate-issue: create an issue with the scores that had been updatedissue-title: Defines the issue titlegithub-token: The token usage to create the issue and push the codemax-request-in-parallel: Defines the total HTTP Request that can be done in paralleldiscovery-enabled: Defined if the discovery is enableddiscovery-orgs: List of organizations to be includes in the discovery, example:discovery-orgs: owasp,nodejsreport-tags-enabled: Defines if the markdown report must be created/updated around tags by default is disabled. This is useful if the report is going to be include in a file that has other content on it, like docusaurus docs site or similar.report-start-tag: Defines the start tag, default<!-- OPENSSF-SCORECARD-MONITOR:START -->report-end-tagDefines the closing tag, default<!-- OPENSSF-SCORECARD-MONITOR:END -->
scores: Score data in JSON format
Just for reference, the scope will be stored this way:
File: reporting/scope.json
{
"github.com": {
"included": {
"UlisesGascon":[
"tor-detect-middleware",
"check-my-headers",
"express-simple-pagination"
]
},
"excluded": {
"UlisesGascon": [
"demo-stuff"
]
}
}
}☕️ PRO TIP: You can exclude any project at any time by editing this file
Just for reference, the database will store the current value and previous values with the date:
{
"github.com": {
"UlisesGascon": {
"check-my-headers": {
"previous": [ {
"score": 6.7,
"date": "2022-08-21"
}],
"current": {
"score": 4.4,
"date": "2022-11-28"
}
}
}
}
}