How to use scorecard to scan a specific branch

[bhuvi11]

Hello Team,

Is there an option to scan a specific branch using scorecard?

[laurentsimon]

duplicate from #575.
TL;DR: we're working on as part of our integration as a GitHub action.

If you're interested: what we will need is to implement this interface https://github.com/ossf/scorecard/blob/main/clients/repo_client.go#L46.

FYI @azeemsgoogle.

[naveensrinivasan]

For now, the recommendation is to download the repo and check out the specific branch, and run scorecard on that.

@azeemshaikh38 Thoughts/recommendations?

[bhuvi11]

Hello @naveensrinivasan,

How can i do that? currently i see we can scan only URLs
how can i checkout ? can i scan .git repositories?

[azeemshaikh38]

Currently, we don't support running on a specific/local branch. #462 unblocks the implementation of a client which can run on local files. We haven't started the implementation on this yet but might start in a few weeks.

[github-actions]

Stale issue message

[laurentsimon]

We now have support for local repos SCORECARD_V4=1 scorecard ... --local=<folder>, but it's limited to a few checks that only use file content and not GitHub APIs. This will be released in v4.