-
Notifications
You must be signed in to change notification settings - Fork 511
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Feature [experimental]: The Scorecard Dependencydiff CLI (Version 0 Part 1) #2077
Conversation
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #2077 +/- ##
==========================================
+ Coverage 41.87% 44.14% +2.27%
==========================================
Files 95 97 +2
Lines 7945 8014 +69
==========================================
+ Hits 3327 3538 +211
+ Misses 4358 4207 -151
- Partials 260 269 +9 |
Integration tests success for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM overall!
Added a few comment
Integration tests success for |
Integration tests success for |
Integration tests success for |
Integration tests success for |
Integration tests success for |
Integration tests success for |
Integration tests success for |
Integration tests success for |
Stale pull request message |
@laurentsimon @azeemshaikh38 What is pending in this PR? |
Integration tests success for |
Stale pull request message |
@aidenwang9867 Are you still planning to work on this? |
Closing this PR as it has been stale for a while. Please reopen. |
What kind of change does this PR introduce?
This PR introduces a v0 experimental feature - the Dependencydiff CLI powered by the Scorecard API
GetDependencydiffResults
(PR #2046).Update: This PR (v0-p1) only introduces the option changes, cmd changes are made in PR #
Minor fixes: some potential misleading var names in the GetDependencydiffResults API, such as changing
baseSHA/headSHA
tobase/head
, since we can use branch names as the inputs.What is the current behavior?
In PR #2046, the v0 of the
GetDependencydiffResults
function API was introduced to the Scorecard repo, but Scorecard hasn't gotten use of it.What is the new behavior (if this is a feature change)?**
Now with the
SCORECARD_EXPERIMENTAL
env var set in system or CLI, users can use thedependency-diff
sub-command to specify two code commits either by commitSHA or branch name, to surface Scorecard check result of those dependencies to better understand the security posture of their repo. This works as a separate sub-command so it won't affect the original root usage mode of Scorecard (running checks on a repo).A possible CLI usage might be:
where:
SCORECARD_EXPERIMENTAL=1
enables thedependency-diff
sub-command featuredependencydiff
is the sub-command and shifts the Scorecard from the original check mode to dependencydiff--repo
specifies the repo to be checked (same usage as the original Scorecard CLI)--base
specifiesmain
as the BASE, and--head
specifiesmain
(the latest commit to the112997623f24d5f677ff9155f3868964d4b81df3
branch) as the HEAD.--checks
specifies the checks to run on the dependencies (not the repo itself) (same usage format as the original Scorecard CLI)Which issue(s) this PR fixes
Issue #2008
Special notes for your reviewer
Note the v0 of the CLI runs pretty slow since we are running scorecard checks on every dependency with a valid srcRepo URI. I am considering adding
Parallel()
support for the scorecard running on dependencies, or an option (YES/NO) to ask if the user would like to continue when there are more than, for example, 20+ dependencies to check and tell the user it might be slow.@naveensrinivasan @azeemshaikh38 @laurentsimon wdut?
Does this PR introduce a user-facing change?
Yes.
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)