You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The scorecard action seems to run the CLI. I do not understand how it publishes the results.
Could you help?
✗ scorecard --help
A program that shows the OpenSSF scorecard for an open source software.
Usage:
./scorecard (--repo=<repo>| --local=<folder>| --{npm,pypi,rubygems,nuget}=<package_name>)
[--checks=check1,...] [--show-details] [--show-annotations] [flags]
./scorecard [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
help Help about any command
serve Serve the scorecard program over http
version Prints the version
Flags:
--checks strings Checks to run. Possible values are: Contributors,Security-Policy,CI-Tests,Vulnerabilities,SAST,Token-Permissions,Branch-Protection,Code-Review,License,Dependency-Update-Tool,Packaging,Dangerous-Workflow,CII-Best-Practices,Signed-Releases,Fuzzing,Pinned-Dependencies,Binary-Artifacts,Maintained
--commit string commit to analyze (default "HEAD")
--commit-depth int number of commits to check, commits begin backwards from the HEAD
--format string output format. Possible values are: default, json, probe (default "default")
-h, --help helpfor ./scorecard
--local string local folder to check
--metadata strings metadata for the project. It can be multiple separated by commas
--npm string npm package to check, given that the npm package has a GitHub repository
--nuget string nuget package to check, given that the nuget package has a GitHub repository
-o, --output string output file
--probes strings Probes to run.
--pypi string pypi package to check, given that the pypi package has a GitHub repository
--repo string repository to check (valid inputs: "owner/repo", "github.com/owner/repo", "https://github.com/repo")
--rubygems string rubygems package to check, given that the rubygems package has a GitHub repository
--show-annotations show maintainers annotations for checks
--show-details show extra details about each check
--verbosity string Set the log level. Possible values are: 'info', 'debug', 'warn'. Add --show-details to see the results. (default "info")
Use "./scorecard [command] --help"for more information about a command.
I searched the code a bit and it seems to be using a custom golang action code to send the results. I thought it would be using the cli.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
The scorecard action seems to run the CLI. I do not understand how it publishes the results.
Could you help?
I searched the code a bit and it seems to be using a custom golang action code to send the results. I thought it would be using the cli.
https://github.com/ossf/scorecard-action/blob/6c4912ed9e5f80cfda40164b92753f21f0892cab/signing/signing.go#L129-L154
Beta Was this translation helpful? Give feedback.
All reactions