Why do the number of checks for the weekly scorecard scans differ for projects? #3987
-
|
Hello awesome people I see a couple of missing checks in the results of CNCF projects, namely Whereas we know that the scorecards test suite tests for more for other repositories (also on github), for e.g. https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard Why do we have this difference? Do we have a configuration file for all the 1 million scanned repositories? Cheers |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Hi @dynamic-entropy!
So, the main point is that github.com/ossf/scorecard is running the Scorecard GitHub Actions(see the workflow file) and publishing the results, while Kubernetes (and I assume the other CNCF projects) is not. When a project doesn't run Scorecard themselves and publish the results, we use our own infrastructure to gather some results and make them available on our viewer. The implementation of the cronjob is available on this folder. The problem is that some of the checks (e.g. the ones you mentioned) are too API heavy and we currently can't use our infrastructure to gather them for all the repositories.
Not sure I understood your question, but we do have a file listing all the repositories we evaluate in our cronjob. Check this file for github projects and this one for gitlab. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @diogoteles08
I meant if there is a configuration file that specifies which checks to skip (or run) for certain repositories. scorecard/cron/config/config.yaml Line 48 in d58bfb0 Cheers |
Beta Was this translation helpful? Give feedback.
Hi @dynamic-entropy!
So, the main point is that github.com/ossf/scorecard is running the Scorecard GitHub Actions(see the workflow file) and publishing the results, while Kubernetes (and I assume the other CNCF projects) is not.
When a project doesn't run Scorecard themselves and publish the results, we use our own infrastructure to gather some results and make them available on our viewer. The implementation of the cronjob is available on this folder. The problem is that some of the checks (e.g. the ones you mentioned) are too API heavy and we currently can't use our infrastructure to gather them for all the repositories.