-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running under a matrix strategy #1419
Comments
If it helps, I do keep all my json scorecards in a central directory; but not sure if it's relevant for:
|
The checkout step is there to handle the Using the Scorecard docker seems like a reasonable workaround, which is what you posted in your OpenSSF Slack message, which I'll copy here to save from getting deleted: - name: Run Scorecard
id: run_scorecard
run: |
mkdir -p scorecards
sudo chmod -R 777 scorecards
repo_name=$(basename ${{ matrix.repo }})
set +e
docker run --rm \
-v "${GITHUB_WORKSPACE}:/github/workspace" \
-e "GITHUB_AUTH_TOKEN=${{ steps.access_token.outputs.token }}" \
gcr.io/openssf/scorecard:stable \
--repo "[https://github.com/${{](https://github.com/$%7B%7B) matrix.repo }}" \
--format json \
--checks ${{ steps.construct_checks.outputs.checks }} \
--show-details \
-o "/github/workspace/scorecards/${repo_name}-scorecard.json"
SCORECARD_EXIT_CODE=$?
if [ $SCORECARD_EXIT_CODE -ne 0 ]; then
echo "scorecard_failed=true" >> $GITHUB_ENV
echo "::warning::Scorecard failed for ${{ matrix.repo }}"
fi
set -e
if: ${{ env.checkout_failed != 'true' }}
continue-on-error: true I will note that Scorecard supports reading some of these GitHub app values directly if it saves you from needing to do some of the JWT steps: |
Perhaps there's some overlap with https://github.com/ossf/scorecard-monitor, but that only looks at the visualization aspect, not the generation which is what you're trying to do. |
Hmm, I prefer my own implementation, it's much less of a wall of text: It's just a shame scorecard-action cannot be centrally run via a github App; no one sane wants to make workflow commits to 900+ repos and all the wonderful automated deployments it will kick off :-) I have a piece of work now to dissect the scorecard.json files and try and create a batch remote sarif uploader so this can be centralised; the trouble is, the sarif specs document is so complex. I wonder if this suite of centralised scorecard tools and centralised sarif uploader ever gets finished, if anyone would be interested in the open souce? |
A related issue was just filed in the main Scorecard repository and discussed today at the community meeting: ossf/scorecard#4333 EDIT: I've filed a top-level tracking issue to formalize support for large-scale use cases: ossf/scorecard#4339 |
Hello,
I'm trying to centralise this action; we have close to 800 repos in our org, and I don't want to commit (or use .git) this action to each of them.
So, using the APP authentication, I gather a list of repos that have changed since it last ran:
Then I update the timestamp with the now date.
so I have a JSON list of repos that the sarif uploader need to run on, so I create a matrix:
with the matrix item I re-authenticate with the APP, and run the scorecard (sarif)
The trouble is, the scorecard gathers the repo name from the repo info in file: /github/workflow/event.json - main workflow json;
Is there any way, as I have checked out the 'child repo' in the matrix, I can pass a input to the:
so it runs against the repo I have checked out in the matrix?
By using this technique I stay in control of the updates of the security alerts (aligning with my other tools), and I can for example, nightly update the alerts for only repos that have had commits and produce scorecards for the org at the same time which get published...
I'll include my code (it's full of debug information steps atm, dirty wip) for completeness so you know what I am talking about:
The text was updated successfully, but these errors were encountered: