-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ cmd: Refactor to make importable #1696
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1696 +/- ##
==========================================
+ Coverage 57.89% 61.02% +3.13%
==========================================
Files 58 58
Lines 5907 5907
==========================================
+ Hits 3420 3605 +185
+ Misses 2248 2057 -191
- Partials 239 245 +6 |
Integration tests success for |
Integration tests success for |
@colek42 -- Not sure if this is helpful for witness, but FYI! |
Also noting to minimize the diff and generally keep things simple, I opted not to create a package per subcommand. ❯ tree -L 3 cmd/cosign
cmd/cosign
├── cli
│ ├── attach
│ │ ├── sbom.go
│ │ └── sig.go
│ ├── attach.go
│ ├── attest
│ │ └── attest.go
│ ├── attest.go
│ ├── clean.go
│ ├── commands.go
│ ├── completion.go
│ ├── copy
│ │ └── copy.go
│ ├── copy.go
│ ├── dockerfile
│ │ ├── verify.go
│ │ └── verify_test.go
│ ├── dockerfile.go
│ ├── download
│ │ ├── sbom.go
│ │ └── signature.go
│ ├── download.go
│ ├── fulcio
│ │ ├── depcheck_test.go
│ │ ├── fulcio.go
│ │ ├── fulcio_test.go
│ │ ├── fulcioroots
│ │ └── fulcioverifier
│ ├── generate
│ │ ├── generate.go
│ │ ├── generate_key_pair.go
│ │ └── generate_key_pair_test.go
│ ├── generate.go
│ ├── generate_key_pair.go
│ ├── initialize
│ │ └── init.go
│ ├── initialize.go
│ ├── manifest
│ │ ├── verify.go
│ │ └── verify_test.go
│ ├── manifest.go
│ ├── options
│ │ ├── annotations.go
│ │ ├── annotations_test.go
│ │ ├── attach.go
│ │ ├── attest.go
│ │ ├── copy.go
│ │ ├── errors.go
│ │ ├── experimental.go
│ │ ├── files.go
│ │ ├── flags.go
│ │ ├── flags_test.go
│ │ ├── fulcio.go
│ │ ├── generate.go
│ │ ├── generate_key_pair.go
│ │ ├── initialize.go
│ │ ├── oidc.go
│ │ ├── options.go
│ │ ├── piv_tool.go
│ │ ├── pkcs11_tool.go
│ │ ├── policy.go
│ │ ├── predicate.go
│ │ ├── public_key.go
│ │ ├── reference.go
│ │ ├── registry.go
│ │ ├── rekor.go
│ │ ├── root.go
│ │ ├── security_key.go
│ │ ├── sign.go
│ │ ├── signblob.go
│ │ ├── triangulate.go
│ │ ├── upload.go
│ │ └── verify.go
│ ├── piv_tool.go
│ ├── piv_tool_disabled.go
│ ├── pivcli
│ │ └── commands.go
│ ├── pkcs11_tool.go
│ ├── pkcs11_tool_disabled.go
│ ├── pkcs11cli
│ │ └── commands.go
│ ├── policy_init.go
│ ├── policy_init_test.go
│ ├── public_key.go
│ ├── publickey
│ │ ├── public_key.go
│ │ └── public_key_test.go
│ ├── sign
│ │ ├── sign.go
│ │ ├── sign_blob.go
│ │ └── sign_test.go
│ ├── sign.go
│ ├── signblob.go
│ ├── triangulate
│ │ └── triangulate.go
│ ├── triangulate.go
│ ├── upload
│ │ ├── blob.go
│ │ └── wasm.go
│ ├── upload.go
│ ├── verify
│ │ ├── verify.go
│ │ ├── verify_attestation.go
│ │ └── verify_blob.go
│ ├── verify.go
│ ├── version.go
│ └── version_test.go
├── main.go
└── webhook
├── depcheck_test.go
├── kodata
│ ├── HEAD -> ../../../../.git/HEAD
│ ├── LICENSE -> ../../../../LICENSE
│ └── refs -> ../../../../.git/refs
└── main.go |
Signed-off-by: Stephen Augustus <[email protected]>
Signed-off-by: Stephen Augustus <[email protected]>
Signed-off-by: Stephen Augustus <[email protected]>
Signed-off-by: Stephen Augustus <[email protected]>
Signed-off-by: Stephen Augustus <[email protected]>
Integration tests success for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hehe, I'm already excited! ❯ scorecard-action --help
A program that shows security scorecard for an open source software.
Usage:
./scorecard [--repo=<repo_url>] [--local=folder] [--checks=check1,...]
[--show-details] or ./scorecard --{npm,pypi,rubygems}=<package_name>
[--checks=check1,...] [--show-details] [flags]
./scorecard [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
help Help about any command
serve Serve the scorecard program over http
version Prints the version
Flags:
--checks strings Checks to run. Possible values are: Signed-Releases,CII-Best-Practices,Fuzzing,Token-Permissions,Pinned-Dependencies,Packaging,Binary-Artifacts,Branch-Protection,Contributors,License,Dangerous-Workflow,Maintained,Security-Policy,Vulnerabilities,CI-Tests,Code-Review,Dependency-Update-Tool,SAST
--commit string commit to analyze (default "HEAD")
--format string output format allowed values are [default, json] (default "default")
-h, --help help for ./scorecard
--local string local folder to check
--metadata strings metadata for the project. It can be multiple separated by commas
--npm string npm package to check, given that the npm package has a GitHub repository
--pypi string pypi package to check, given that the pypi package has a GitHub repository
--repo string repository to check
--rubygems string rubygems package to check, given that the rubygems package has a GitHub repository
--show-details show extra details about each check
--verbosity string set the log level (default "info")
Use "./scorecard [command] --help" for more information about a command.
Will do! |
This is really cool! Thanks @justaugustus |
What kind of change does this PR introduce?
(Is it a bug fix, feature, docs update, something else?)
Feature
PR title follows the guidelines defined in our pull request documentation
cmd: Refactor to make importable
options: Add support for parsing via environment variables
options: Support setting feature flags via option
cmd: Replace
version
with sigs.k8s.io/release-utils/versioncmd: Move option validation into pre-run function
Signed-off-by: Stephen Augustus [email protected]
What is the current behavior?
scorecard
is not importable, which means any consumers needing to leverage it need to either:scorecard
(ref: https://github.com/ossf/allstar/blob/e507312ca14971734db95e10a50fac840360a21c/pkg/policies/branch/branch.go)There are plenty of existing issues for this:
Witness (@colek42) probably has more to consider as well.
What is the new behavior (if this is a feature change)?**
For consumers using
cobra
, you can now create ascorecard
*cobra.Command
usingcmd.New()
:We've also added support for setting a subset of scorecard options via environment variables (using https://github.com/caarlos0/env).
The intent is not to support all options, but to allow specific use cases like
scorecard-action
, which already uses environment variables for configuration.Which issue(s) this PR fixes
Continues #1645 and partially addresses #1683.
Special notes for your reviewer
h/t to @n3wscott for the cobra pattern!
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)