GitHub Action
OpenSSF Scorecard Monitor
Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts.
If you're feeling overwhelmed by an avalanche of repository scorecards in your organization, you can breathe easy: Automation is here to make your life easier! It will streamline the process of keeping track of them all by providing a comprehensive report in Markdown and a local database in JSON with all the scores. Furthermore, to stay on top of any changes in the scores, you can choose to get notifications through Github Issues.
soon
- Reporting in Markdown with simply information and comparative against the prior score. Demo
- The reporting data is stored in json format (including previous records). Demo
- Generate an issue with the last changes in the scores, including links to the full report. Demo
- Easy to add/remove new repositories in scope from any github organization
- Debug supported
- Easy to use and great test coverage (soon)
Here is a demo repository that is using this Action
Sample Report
Sample Issue
Soon
Create a folder in your project (for example: security-reporting
) and include the scope as follow:
File: reporting/scope.json
{
"github.com": [{
"org": "UlisesGascon",
"repo": "tor-detect-middleware"
}, {
"org": "UlisesGascon",
"repo": "check-my-headers"
},{
"org": "UlisesGascon",
"repo": "express-simple-pagination"
}]
}
Note: You must follow this structure, and only github.com
projects are included
name: "OpenSSF Scoring"
on:
schedule:
- cron: "0 0 * * *"
permissions:
contents: write
pull-requests: none
issues: write
packages: none
jobs:
security-scoring:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: ulisesGascon/openssf-scorecard-monitor@v1
with:
scope: reporting/scope.json
database: reporting/database.json
report: reporting/openssf-scorecard-report.md
auto-commit: true
auto-push: true
generate-issue: true
issue-title: "OpenSSF Scorecard Report Updated!"
github-token: ${{ secrets.GITHUB_TOKEN }}
max-request-in-parallel: 10
scope
: defined the path to the file where the scope is defineddatabase
: define the path to the json file usage to store the scores and comparereport
: define the path where the markdown report will be added/updatedauto-commit
: commit the changes in thedatabase
andreport
filesauto-push
: push the code changes to the branchgenerate-issue
: create an issue with the scores that had been updatedissue-title
: Defines the issue titlegithub-token
: The token usage to create the issue and push the codemax-request-in-parallel
: Defines the total HTTP Request that can be done in parallel
Just for reference, the database will store the current value and previous values with the date:
{
"github.com": {
"UlisesGascon": {
"check-my-headers": {
"previous": [ {
"score": 6.7,
"date": "2022-08-21"
}],
"current": {
"score": 4.4,
"date": "2022-11-28"
}
}
}
}
}