-
Notifications
You must be signed in to change notification settings - Fork 506
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: facilitate the Scorecard run for the dependency-diff API/CLI #2080
Comments
in general running in parallel is useful now. I would suggest running the current calls to scorecard in parallel, since it's very little code to change.
|
REST API won't return results for multiple dependencies as of now. @azeemshaikh38 Am I, right about this? |
Not a good idea to run Scorecard in parallel (in the case where Scorecard is being calculated and not retrieved from some pre-computed API) - the token usage can get pretty expensive and will likely trigger GitHub's secondary rate limits.
There is no plan for such batched access. Users will need to do this on their end if needed. |
Close this issue since there are no good optimization solutions for this. Let's keep it as an experimental feature for now ;-) |
Is your feature request related to a problem? Please describe.
The v0 of the Dependencydiff API/CLI (PR #2046/PR #2077) runs pretty slow since we are running scorecard checks on every dependency with a valid srcRepo URI. The REST Scorecard API will be a good solution, see issue #2064. However, before that comes out in production, is there anything else we can do for now?
Describe the solution you'd like
I am considering whether we should add a
Parallel()
support for the scorecard running on dependencies. It might depend on what kind of interface we would like to provide in the REST Scorecard API to return the check results for package(s): using a list of packages/repos as the input all together vs. using one package/repo as the input at a time. @laurentsimon Am I understanding this issue and solution correctly?Describe alternatives you've considered
An alternative temporary solution for the CLI could be:
We give users an option (YES/NO) to ask if they would like to continue when there are more than, for example, 20+ dependencies to check . Also, we tell them since this is still an experimental feature, the running time could be slow as the number of dependency changes increases.
Additional context
@azeemshaikh38 @naveensrinivasan wdut?
The text was updated successfully, but these errors were encountered: