OpenSSF Scorecard Dependency Analysis

This repository contains the source code for the OpenSSF Dependency Analysis project. The aim of the project is to check the security posture of a project's dependencies using the GitHub Dependency Graph API and the Security Scorecards API.

Usage

The OpenSSF Dependency Analysis is a GitHub Action that can be easily incorporated into a workflow. The workflow can be triggered on a pull request event. The action will run on the latest commit on the default branch of the repository, and will create a comment on the pull request with the results of the analysis. An example of the comment can be found here.

Prerequisites

The actions require enabling the GitHub Dependency Review for the repository.

Configuration

The action can be configured using the following inputs:

• SCORECARD_CHECKS: This environment variable takes a file containing a list of checks to run.
• The file should be in JSON format and follow the format provided by the Scorecard checks documentation. For example:

[
  "Binary-Artifacts",
  "Pinned-Dependencies"
] 

Installation

The action can be installed by adding the following snippet to the workflow file:

name: scorecard-dependency-analysis

on:
  pull_request:
    types: [opened, synchronize, reopened]
permissions:
  pull-requests: write # Required to create a comment on the pull request.

jobs:
  dependency-analysis:
    name: Scorecards dependency analysis
    runs-on: ubuntu-latest
    env:
      GITHUB_PR_NUMBER: ${{ github.event.number }}
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      GITHUB_REPOSITORY: ${{ github.repository }}
      GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
      GITHUB_SHA: ${{ github.sha }}
      GITHUB_ACTOR: ${{ github.actor }}


    steps:
      - name: Checkout code
        uses: actions/checkout@v2
        with:
          persist-credentials: false

      - name: Run dependency analysis
        uses: ossf/scorecard-action/dependency-analysis@main # Replace with the latest release version.