scorecard-cli

2.0.0 • Public • Published

scorecard-cli Version Badge

github actions coverage License Downloads

npm badge

A CLI for OpenSSF Scorecard data.

Example

CLI

> scorecard-cli ljharb/qs
{
  date: '2023-05-22',
  repo: {
    name: 'github.com/ljharb/qs',
    commit: '410bdd3c8ae7f5d7ae9b52648b8642b8adc5e1c0'
  },
  scorecard: {
    version: 'v4.10.5-188-g028fa93',
    commit: '028fa93e924d3facde890a113f7edf1225a87ea2'
  },
  score: 6.8,
  checks: [
    {
      name: 'Maintained',
      score: 8,
      reason: '4 commit(s) out of 30 and 6 issue activity out of 30 found in the last 90 days -- score normalized to 8',
      details: null,
      documentation: {
        short: 'Determines if the project is "actively maintained".',
        url: 'https://github.com/ossf/scorecard/blob/028fa93e924d3facde890a113f7edf1225a87ea2/docs/checks.md#maintained'
      }
    },
    {
      name: 'Code-Review',
      score: 0,
      reason: 'found 26 unreviewed human changesets (30 total)',
      details: null,
      documentation: {
        short: 'Determines if the project requires human code review before pull requests (aka merge requests) are merged.',
        url: 'https://github.com/ossf/scorecard/blob/028fa93e924d3facde890a113f7edf1225a87ea2/docs/checks.md#code-review'
      }
    },
    {
      name: 'CII-Best-Practices',
      score: 0,
      reason: 'no effort to earn an OpenSSF best practices badge detected',
      details: null,
      documentation: {
        short: 'Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.',
        url: 'https://github.com/ossf/scorecard/blob/028fa93e924d3facde890a113f7edf1225a87ea2/docs/checks.md#cii-best-practices'
      }
    },
    {
      name: 'License',
      score: 10,
      reason: 'license file detected',
      details: [
        'Info: License file found in expected location: LICENSE.md:1',
        'Info: FSF or OSI recognized license: LICENSE.md:1'
      ],
      documentation: {
        short: 'Determines if the project has defined a license.',
        url: 'https://github.com/ossf/scorecard/blob/028fa93e924d3facde890a113f7edf1225a87ea2/docs/checks.md#license'
      }
    },
    {
      name: 'Branch-Protection',
      score: -1,
      reason: 'internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration',
      details: null,
      documentation: {
        short: "Determines if the default and release branches are protected with GitHub's branch protection settings.",
        url: 'https://github.com/ossf/scorecard/blob/028fa93e924d3facde890a113f7edf1225a87ea2/docs/checks.md#branch-protection'
      }
    },
    {
      name: 'Signed-Releases',
      score: -1,
      reason: 'no releases found',
      details: [ 'Warn: no GitHub releases found' ],
      documentation: {
        short: 'Determines if the project cryptographically signs release artifacts.',
        url: 'https://github.com/ossf/scorecard/blob/028fa93e924d3facde890a113f7edf1225a87ea2/docs/checks.md#signed-releases'
      }
    },
    {
      name: 'Binary-Artifacts',
      score: 10,
      reason: 'no binaries found in the repo',
      details: null,
      documentation: {
        short: 'Determines if the project has generated executable (binary) artifacts in the source repository.',
        url: 'https://github.com/ossf/scorecard/blob/028fa93e924d3facde890a113f7edf1225a87ea2/docs/checks.md#binary-artifacts'
      }
    },
    {
      name: 'Pinned-Dependencies',
      score: 8,
      reason: 'dependency not pinned by hash detected -- score normalized to 8',
      details: [
        'Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rebase.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/qs/rebase.yml/main?enable=pin',
        'Warn: third-party GitHubAction not pinned by hash: .github/workflows/rebase.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/qs/rebase.yml/main?enable=pin',
        'Warn: third-party GitHubAction not pinned by hash: .github/workflows/require-allow-edits.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/qs/require-allow-edits.yml/main?enable=pin',
        'Info: Dockerfile dependencies are pinned',
        'Info: no insecure (not pinned by hash) dependency downloads found in Dockerfiles',
        'Info: no insecure (not pinned by hash) dependency downloads found in shell scripts',
        'Info: Pip installs are pinned'
      ],
      documentation: {
        short: 'Determines if the project has declared and pinned the dependencies of its build process.',
        url: 'https://github.com/ossf/scorecard/blob/028fa93e924d3facde890a113f7edf1225a87ea2/docs/checks.md#pinned-dependencies'
      }
    },
    {
      name: 'Dangerous-Workflow',
      score: 10,
      reason: 'no dangerous workflow patterns detected',
      details: null,
      documentation: {
        short: "Determines if the project's GitHub Action workflows avoid dangerous patterns.",
        url: 'https://github.com/ossf/scorecard/blob/028fa93e924d3facde890a113f7edf1225a87ea2/docs/checks.md#dangerous-workflow'
      }
    },
    {
      name: 'Packaging',
      score: -1,
      reason: 'no published package detected',
      details: [ 'Warn: no GitHub/GitLab publishing workflow detected' ],
      documentation: {
        short: 'Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.',
        url: 'https://github.com/ossf/scorecard/blob/028fa93e924d3facde890a113f7edf1225a87ea2/docs/checks.md#packaging'
      }
    },
    {
      name: 'Token-Permissions',
      score: 10,
      reason: 'tokens are read-only in GitHub workflows',
      details: [
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/node-aught.yml:6",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/node-pretest.yml:6",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/node-tens.yml:6",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/rebase.yml:6",
        "Warn: jobLevel 'contents' permission set to 'write': .github/workflows/rebase.yml:11: Verify which permissions are needed and consider whether you can reduce them. (High effort)",
        "Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/rebase.yml:12",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/require-allow-edits.yml:6",
        "Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/require-allow-edits.yml:11"
      ],
      documentation: {
        short: "Determines if the project's workflows follow the principle of least privilege.",
        url: 'https://github.com/ossf/scorecard/blob/028fa93e924d3facde890a113f7edf1225a87ea2/docs/checks.md#token-permissions'
      }
    },
    {
      name: 'Vulnerabilities',
      score: 10,
      reason: 'no vulnerabilities detected',
      details: null,
      documentation: {
        short: 'Determines if the project has open, known unfixed vulnerabilities.',
        url: 'https://github.com/ossf/scorecard/blob/028fa93e924d3facde890a113f7edf1225a87ea2/docs/checks.md#vulnerabilities'
      }
    },
    {
      name: 'Fuzzing',
      score: 0,
      reason: 'project is not fuzzed',
      details: null,
      documentation: {
        short: 'Determines if the project uses fuzzing.',
        url: 'https://github.com/ossf/scorecard/blob/028fa93e924d3facde890a113f7edf1225a87ea2/docs/checks.md#fuzzing'
      }
    },
    {
      name: 'Security-Policy',
      score: 9,
      reason: 'security policy file detected',
      details: [
        'Info: Found linked content in security policy: github.com/ljharb/.github/SECURITY.md',
        'Info: Found text in security policy: github.com/ljharb/.github/SECURITY.md',
        'Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy: github.com/ljharb/.github/SECURITY.md',
        'Info: security policy detected in org repo: github.com/ljharb/.github/SECURITY.md'
      ],
      documentation: {
        short: 'Determines if the project has published a security policy.',
        url: 'https://github.com/ossf/scorecard/blob/028fa93e924d3facde890a113f7edf1225a87ea2/docs/checks.md#security-policy'
      }
    },
    {
      name: 'SAST',
      score: 0,
      reason: 'SAST tool is not run on all commits -- score normalized to 0',
      details: [
        'Warn: 0 commits out of 5 are checked with a SAST tool',
        'Warn: CodeQL tool not detected'
      ],
      documentation: {
        short: 'Determines if the project uses static code analysis.',
        url: 'https://github.com/ossf/scorecard/blob/028fa93e924d3facde890a113f7edf1225a87ea2/docs/checks.md#sast'
      }
    }
  ]
}

Package Sidebar

Install

npm i scorecard-cli

Weekly Downloads

10

Version

2.0.0

License

MIT

Unpacked Size

17.3 kB

Total Files

9

Last publish

Collaborators

  • ljharb