Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] policies: Add check for scorecard policies #114

Closed
wants to merge 5 commits into from

Conversation

justaugustus
Copy link
Member

@justaugustus justaugustus commented Feb 10, 2022

Implements the scorecard Dependency Update Tool check as an Allstar policy.

Fixes/ #113

Signed-off-by: Stephen Augustus [email protected]

@justaugustus
Copy link
Member Author

Heh, I copied the SECURITY.md policy and assumed this was a little simpler than it was (roughly a graphql query for some URL).

This actually more closely mimics the logic for branch protection.
We'll likely want to:

  • get a repo
  • get if automated alerts enabled
  • get file .github/dependabot.yml

@jeffmendoza
Copy link
Member

Looking good so far, let me know if you want an early review, or have any questions about anything.

@justaugustus justaugustus changed the title [WIP] policies: Add check for dependabot config file policies: Add check for dependency update configuration files Feb 14, 2022
@justaugustus
Copy link
Member Author

Turns out scorecard already has a policy for this: https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool
So this is roughly copy/paste of the Binary Artifacts policy logic and now ready for review 🤞🏾 :)

@jeffmendoza
Copy link
Member

So this is roughly copy/paste of the Binary Artifacts policy logic

Oh ok, so I actually have a couple of issues with this unfortunately.

For Scorecard integration, the initial thought was #22 and that policy would list the names of the checks. A main driver is that we didn't want to be downloading the repo tarball multiple times in Allstar. Also, to share code.

However, with the scorecard action that launched, it looks like a better path is #28. This will essentially enforce all checks in scorecard.

I do still think we can and should have a dependabot/renovatebot policy in Allstar if we gain anything by having access to the GitHub API, which scorecard does not get.

@justaugustus justaugustus force-pushed the dependabot-file-check branch 2 times, most recently from 05b8c63 to 2e42e85 Compare February 16, 2022 05:45
@justaugustus justaugustus changed the title policies: Add check for dependency update configuration files policies: Add check for scorecard policies Feb 16, 2022
@justaugustus justaugustus changed the title policies: Add check for scorecard policies [WIP] policies: Add check for scorecard policies Feb 16, 2022
@justaugustus
Copy link
Member Author

FYI scorecard maintainers (@inferno-chromium @laurentsimon @naveensrinivasan @azeemshaikh38) --

I'm working on a refactor of the scorecard cmd to more easily allow consumers access to the same options that the CLI tool has. Once it's tighter, I'll lift it in the scorecard repo.

Opting to work in a temp directory in this PR because:

@azeemshaikh38
Copy link

FYI scorecard maintainers (@inferno-chromium @laurentsimon @naveensrinivasan @azeemshaikh38) --

I'm working on a refactor of the scorecard cmd to more easily allow consumers access to the same options that the CLI tool has. Once it's tighter, I'll lift it in the scorecard repo.

Opting to work in a temp directory in this PR because:

I'm not sure I fully understand what this PR in AllStar is trying to achieve. Could you elaborate on:

@jeffmendoza
Copy link
Member

Taking over in #240

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants