Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[feature] Provide Option to Use OpenSSF Scorecard REST API for Scorecard Ingestion #1892

Open
nathannaveen opened this issue May 6, 2024 · 2 comments · May be fixed by #1938
Open

[feature] Provide Option to Use OpenSSF Scorecard REST API for Scorecard Ingestion #1892

nathannaveen opened this issue May 6, 2024 · 2 comments · May be fixed by #1938
Assignees
Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed

Comments

@nathannaveen
Copy link
Contributor

Background

Currently, GUAC is calculating the OpenSSF Scorecard scores directly using the Scorecard library. This requires having a GitHub token to access the repository data. However, there are cases where we may not have access to a GitHub token, such as when ingesting an SBOM without the associated repository information.

Proposal

To address this, we propose adding an option to use the OpenSSF Scorecard REST API (https://github.com/ossf/scorecard?tab=readme-ov-file#scorecard-rest-api) to retrieve the Scorecard scores, in addition to the existing library-based approach.

Key Features

  1. User Option: Provide a configuration option or flag that allows users to choose between the following two Scorecard ingestion modes:
    1. Library-based Scorecard: Use the Scorecard library to calculate the scores directly, requiring a GitHub token.
    2. REST API-based Scorecard: Use the OpenSSF Scorecard REST API to retrieve the scores, without requiring a GitHub token.
  2. Preferred Scorecard Source: When the REST API-based mode is enabled, GUAC should first attempt to calculate the Scorecard score using the library-based approach. If successful, this score should be used as the most recent and default score. If the library-based approach fails (e.g., due to missing GitHub token), GUAC should then fall back to using the REST API to retrieve the Scorecard score.
  3. Scorecard History: When using the REST API-based mode, GUAC should also store the timeline of Scorecard scores for each project, allowing users to track the security posture over time.

Key Benefits

  1. Expanded Scorecard Coverage: The REST API-based mode allows GUAC to retrieve Scorecard data for a wider range of repositories, even when GitHub API tokens are not available. This significantly expands the set of SBOMs that can be ingested with Scorecard data.
  2. No GitHub Token Required: The REST API-based mode does not require a GitHub token, which removes a potential barrier to accessing Scorecard data.
  3. Scorecard History: The REST API provides a timeline of Scorecard scores, which can be useful for tracking the security posture of a project over time.

Proposed Implementation

  1. Add a new configuration option or flag to allow users to choose between the library-based and REST API-based Scorecard ingestion modes.
  2. Implement a new Scorecard provider that uses the OpenSSF Scorecard REST API to fetch the Scorecard data.
  3. Update the existing Scorecard ingestion logic to support both the library-based and REST API-based approaches, with the preferred source being the library-based score if available.
  4. Store the Scorecard score history when using the REST API-based mode.
  5. Document the new Scorecard ingestion options and their tradeoffs in the GUAC documentation.
@nathannaveen nathannaveen added the enhancement New feature or request label May 6, 2024
@pxp928 pxp928 added good first issue Good for newcomers help wanted Extra attention is needed labels May 6, 2024
@neilnaveen
Copy link
Contributor

I would like to work on this.

@pxp928
Copy link
Collaborator

pxp928 commented May 23, 2024

Thanks @neilnaveen. I will assign to you.

neilnaveen added a commit to neilnaveen/guac that referenced this issue May 30, 2024
- Fixes guacsec#1892
- Updated tests
- Added a README for certifier/scorecard

Signed-off-by: neilnaveen <[email protected]>
@neilnaveen neilnaveen linked a pull request May 30, 2024 that will close this issue
7 tasks
neilnaveen added a commit to neilnaveen/guac that referenced this issue Jun 17, 2024
- Fixes guacsec#1892
- Updated tests
- Added a README for certifier/scorecard

Signed-off-by: neilnaveen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants