Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integration with CI/CD and GitHub Code Scanning Results #193

Closed
inferno-chromium opened this issue Feb 17, 2021 · 7 comments
Closed

Integration with CI/CD and GitHub Code Scanning Results #193

inferno-chromium opened this issue Feb 17, 2021 · 7 comments
Assignees
@laurentsimon
Labels
priority/must-do Upcoming release
Milestone
v4

Comments

@inferno-chromium
Copy link
Contributor

https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/uploading-a-sarif-file-to-github
@naveensrinivasan
Copy link
Member

That is a cool idea. Probably use Scorecard all the dependencies of the codebase and upload it.

@inferno-chromium
Copy link
Contributor Author

inferno-chromium commented Feb 17, 2021
edited

Can even just start with showing it for the repo itself (deps can come next). it wont block the CI, but just run on it. this github token limit might be pain.

@naveensrinivasan
Copy link
Member

For this, we need to export the results from the scorecard to sarif format and after that, it coming up with a Github action, I think.

@inferno-chromium inferno-chromium added the priority/must-do Upcoming release label Mar 22, 2021
@naveensrinivasan naveensrinivasan mentioned this issue Mar 24, 2021
Open
11 tasks
@naveensrinivasan naveensrinivasan linked a pull request Apr 17, 2021 that will close this issue
✨ Included documentation for Active check #347
Closed
2 tasks
@naveensrinivasan naveensrinivasan mentioned this issue Apr 17, 2021
Closed
2 tasks
@naveensrinivasan naveensrinivasan mentioned this issue May 10, 2021
Closed
@azeemshaikh38 azeemshaikh38 mentioned this issue May 26, 2021
Closed
@inferno-chromium inferno-chromium changed the title Show scorecards result in CI action, upload to sarif, show in github ui Integration with CI/CD and GitHub Code Scanning Results Jun 28, 2021
@azeemshaikh38 azeemshaikh38 mentioned this issue Jul 4, 2021
Closed
@laurentsimon laurentsimon self-assigned this Oct 18, 2021
@laurentsimon laurentsimon added this to the milestone v4 milestone Oct 18, 2021
@laurentsimon
Copy link
Contributor

reminder to myself: create a separate repo for the action, e.g. ossf/scorecard-action. This way scorecard repo will host only the core part of scorecard.

@laurentsimon laurentsimon mentioned this issue Oct 18, 2021
Closed
@laurentsimon
Copy link
Contributor

anther reminder to myself: decide if we want our action to upload the SARIF or leave it to users to do, like in our current PoC https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml#L44

@azeemshaikh38
Copy link
Contributor

@laurentsimon I think we can close this now?

@laurentsimon
Copy link
Contributor

Yes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@laurentsimon laurentsimon

Labels
priority/must-do Upcoming release
Projects
None yet
Milestone
v4
Development

Successfully merging a pull request may close this issue.

✨ Included documentation for Active check ossf/scorecard
4 participants
@naveensrinivasan @azeemshaikh38 @inferno-chromium @laurentsimon