Skip to content

Commit

Permalink
📖 Olivekl v4 doc updates (#1481)
Browse files Browse the repository at this point in the history
* Create scorecards-analysis.yml

* Update README.md

Move Public Data section
Add placeholders for new installation organization, TODOs for public data section

* Update README.md

Remove outdated public data scoring system paragraph

* Update README.md

Add explanation of Scorecard Action install option and link out

* Update README.md

Add sentence introducing CLI installation section; move all heading down a level for that section

* Update README.md

Fix typo

* Update README.md

Remove comma

* Delete scorecards-analysis.yml file

Co-authored-by: Azeem Shaikh <[email protected]>
  • Loading branch information
olivekl and azeemshaikh38 authored Jan 14, 2022
1 parent b6272c7 commit c60b66b
Showing 1 changed file with 61 additions and 61 deletions.
122 changes: 61 additions & 61 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,16 @@

- [What Is Scorecards?](#what-is-scorecards)
- [Prominent Scorecards Users](#prominent-scorecards-users)
- [Scorecards' Public Data](#public-data)

## Using Scorecards

- [Prerequisites](#prerequisites)
- [Installation](#installation)
- [Authentication](#authentication)
- [Basic Usage](#basic-usage)
- [Report Problems](#report-problems)
- [Scorecards' Public Data](#public-data)
- [Scorecards GitHub Action](#scorecards-github-action)
- [Scorecards Command Line Interface](#scorecards-command-line-interface)
- [Prerequisites](#prerequisites)
- [Installation](#installation)
- [Authentication](#authentication)
- [Basic Usage](#basic-usage)
- [Report Problems](#report-problems)

## Checks

Expand Down Expand Up @@ -60,40 +61,78 @@ Scorecards has been run on thousands of projects to monitor and track security m
- [deps.dev](https://deps.dev)
- [metrics.openssf.org](https://metrics.openssf.org)

### Public Data

We run a weekly Scorecards scan of the 1 million most critical open source projects judged by their direct dependencies and publish the results in a
[BigQuery public dataset](https://cloud.google.com/bigquery/public-data).

This data is available in the public BigQuery dataset
`openssf:scorecardcron.scorecard-v2`. The latest results are available in the
BigQuery view `openssf:scorecardcron.scorecard-v2_latest`.

You can extract the latest results to Google Cloud storage in JSON format using
the [`bq`](https://cloud.google.com/bigquery/docs/bq-command-line-tool) tool:

```
# Get the latest PARTITION_ID
bq query --nouse_legacy_sql 'SELECT partition_id FROM
openssf.scorecardcron.INFORMATION_SCHEMA.PARTITIONS WHERE table_name="scorecard-v2"
AND partition_id!="__NULL__" ORDER BY partition_id DESC
LIMIT 1'
# Extract to GCS
bq extract --destination_format=NEWLINE_DELIMITED_JSON
'openssf:scorecardcron.scorecard-v2$<partition_id>' gs://bucket-name/filename-*.json
```

The list of projects that are checked is available in the
[`cron/data/projects.csv`](https://github.com/ossf/scorecard/blob/main/cron/data/projects.csv)
file in this repository. If you would like us to track more, please feel free to
send a Pull Request with others. Currently, this list is derived from **projects hosted on GitHub
ONLY**. We do plan to expand them in near future to account for projects hosted
on other source control systems.

## Using Scorecards
### Scorecards GitHub Action

The easiest way to use Scorecards on GitHub projects you own is with the [Scorecards GitHub Action](https://github.com/ossf/scorecard-action). The Action runs on any repository change and issues alerts that maintainers can view in the repository’s Security tab. For more information, see the Scorecards GitHub Action [installation instructions](https://github.com/ossf/scorecard-action#installation).

### Prerequisites
### Scorecards Command Line Interface
To run a Scorecards scan on projects you do not own, use the command line interface installation option.

#### Prerequisites

Platforms: Currently, Scorecards supports OSX and Linux platforms. If you are using a Windows OS you may experience issues. Contributions towards supporting Windows are welcome.

Language: You must have GoLang installed to run Scorecards (https://golang.org/doc/install)

### Installation
#### Installation

#### Standalone
##### Standalone

To install Scorecards as a standalone:

1. Visit our latest [release page](https://github.com/ossf/scorecard/releases/latest) and download the correct binary for your operating system
2. Extract the binary file
3. Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to identify your directory if necessary)

#### Using Homebrew
##### Using Homebrew

You can use [Homebrew](https://brew.sh/) (on macOS or Linux) to install Scorecards.

```sh
brew install scorecard
```

### Using Linux package managers
#### Using Linux package managers

| Package Manager | Linux Distribution | Command |
|------------------------------------------------------------|--------------------|--------------------------------------------|
| Nix | NixOS | `nix-env -iA nixpkgs.scorecard` |
| [AUR helper](https://wiki.archlinux.org/title/AUR_helpers) | Arch Linux | Use your AUR helper to install `scorecard` |

### Authentication
#### Authentication

GitHub imposes [api rate limits](https://developer.github.com/v3/#rate-limiting) on unauthenticated requests. To avoid these limits, you must authenticate your requests before running Scorecard. There are two ways to authenticate your requests: either create a GitHub personal access token, or create a GitHub App Installation.

Expand Down Expand Up @@ -127,8 +166,8 @@ GITHUB_APP_ID=<app id>
These variables can be obtained from the GitHub
[developer settings](https://github.com/settings/apps) page.

### Basic Usage
#### Docker
#### Basic Usage
##### Docker

`scorecard` is available as a Docker container:

Expand All @@ -144,7 +183,7 @@ To use a specific scorecards version (e.g., v3.2.1), run:
docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:v3.2.1 --show-details --repo=https://github.com/ossf/scorecard
```

#### Using repository URL
##### Using repository URL

Scorecards can run using just one argument, the URL of the target repo:

Expand Down Expand Up @@ -234,7 +273,7 @@ Check scores:
| 10 / 10 | Vulnerabilities | no vulnerabilities detected | github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
```
#### Scoring
##### Scoring
Each individual check returns a score of 0 to 10, with 10 representing the best possible score. Scorecards also produces an aggregate score, which is a weight-based average of the individual checks weighted by risk.

* “Critical” risk checks are weighted at 10
Expand All @@ -244,7 +283,7 @@ Each individual check returns a score of 0 to 10, with 10 representing the best

See the [list of current Scorecards checks](#scorecard-checks) for each check's risk level.

#### Showing Detailed Results
##### Showing Detailed Results
For more details about why a check fails, use the `--show-details` option:

```
Expand Down Expand Up @@ -278,71 +317,33 @@ RESULTS
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
```

#### Using a Package manager
##### Using a Package manager

For projects in the `--npm`, `--pypi`, or `--rubygems` ecosystems, you have the option to run Scorecards using a package manager. Provide the package name to run the checks on the corresponding GitHub source code.

For example, `--npm=angular`.

#### Running specific checks
##### Running specific checks

To run only specific check(s), add the `--checks` argument with a list of check
names.

For example, `--checks=CI-Tests,Code-Review`.

#### Formatting Results
##### Formatting Results

There are three formats currently: `default`, `json`, and `csv`. Others may be
added in the future.

These may be specified with the `--format` flag. For example, `--format=json`.

### Report Problems
#### Report Problems

If you have what looks like a bug, please use the
[Github issue tracking system.](https://github.com/ossf/scorecard/issues)
Before you file an issue, please search existing issues to see if your issue
is already covered.

### Public Data

If you're interested in seeing a list of projects with their Scorecard
check results, we publish these results in a
[BigQuery public dataset](https://cloud.google.com/bigquery/public-data).

This data is available in the public BigQuery dataset
`openssf:scorecardcron.scorecard-v2`. The latest results are available in the
BigQuery view `openssf:scorecardcron.scorecard-v2_latest`.

You can extract the latest results to Google Cloud storage in JSON format using
the [`bq`](https://cloud.google.com/bigquery/docs/bq-command-line-tool) tool:

```
# Get the latest PARTITION_ID
bq query --nouse_legacy_sql 'SELECT partition_id FROM
openssf.scorecardcron.INFORMATION_SCHEMA.PARTITIONS WHERE table_name="scorecard-v2"
AND partition_id!="__NULL__" ORDER BY partition_id DESC
LIMIT 1'
# Extract to GCS
bq extract --destination_format=NEWLINE_DELIMITED_JSON
'openssf:scorecardcron.scorecard-v2$<partition_id>' gs://bucket-name/filename-*.json
```

The list of projects that are checked is available in the
[`cron/data/projects.csv`](https://github.com/ossf/scorecard/blob/main/cron/data/projects.csv)
file in this repository. If you would like us to track more, please feel free to
send a Pull Request with others. Currently, this list is derived from **projects hosted on GitHub
ONLY**. We do plan to expand them in near future to account for projects hosted
on other source control systems.

**NOTE**: The public dataset uses a Pass/Fail scoring system with a confidence score
between **0 and 10**. A confidence of 0 indicates that the check was unable to
achieve any real signal, and that the result should be ignored. A confidence of 10
indicates the check was completely sure of the result.

## Checks
### Scorecard Checks

Expand Down Expand Up @@ -373,7 +374,6 @@ Name | Description | Risk Level
To see detailed information about each check, its scoring criteria, and remediation steps, check out
the [checks documentation page](docs/checks.md).


## Contribute
### Code of Conduct
Before contributing, please follow our [Code of Conduct](CODE_OF_CONDUCT.md).
Expand Down

0 comments on commit c60b66b

Please sign in to comment.