Skip to content

README: show of OpenSSF Scorecard badge#187

Merged
thockin merged 1 commit intogo-logr:masterfrom
pohly:openssf-scorecard-badge
Jun 15, 2023
Merged

README: show of OpenSSF Scorecard badge#187
thockin merged 1 commit intogo-logr:masterfrom
pohly:openssf-scorecard-badge

Conversation

@pohly
Copy link
Contributor

@pohly pohly commented Jun 15, 2023

With the recent enabling of Scorecard updates, the badge accurately reflects the current status. Let's show it...

pohly
pohly commented Jun 15, 2023
View reviewed changes
README.md Outdated
# A minimal logging API for Go

[![Go Reference](https://pkg.go.dev/badge/github.com/go-logr/logr.svg)](https://pkg.go.dev/github.com/go-logr/logr)
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/go-logr/logr/badge)](https://api.securityscorecards.dev/projects/github.com/go-logr/logr)
Copy link
Contributor Author

@pohly pohly Jun 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is exactly the snipped from https://github.com/ossf/scorecard#scorecard-badges. However, it links to a URL which just returns some JSON. Wouldn't it be better to use a link which shows some human-friendly rendering?

@pnacht: you used https://deps.dev/go/github.com%2Fgo-logr%2Flogr for that. Is that a link that we can use here?

Copy link
Contributor

@pnacht pnacht Jun 15, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep! However, I'd actually suggest you use the new version meant to replace that json dump. It hasn't been officially released yet (just waiting to add a few more input modes, see ossf/scorecard-webapp#415), but already works:

https://securityscorecards.dev/viewer/?platform=github.com&org=go-logr&repo=logr

This page is focused solely on Scorecard results. deps.dev has more information regarding dependencies and dependents, but only shows a subset of Scorecard scores (there are 18 checks in total, all of which can be seen in the link above, but deps.dev only shows 9).

Copy link
Contributor Author

@pohly pohly Jun 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've switched to that.

@pohly
README: show of OpenSSF Scorecard badge
387c16f 
With the recent enabling of Scorecard updates, the badge accurately reflects
the current status. Let's show it...
@pohly pohly force-pushed the openssf-scorecard-badge branch from 582399a to 387c16f Compare June 15, 2023 14:00
@thockin thockin merged commit 73d5d25 into go-logr:master Jun 15, 2023
@thockin
Copy link
Contributor

thockin commented Jun 15, 2023

error processing signature: executing scorecard-api call: Post "https://api.securityscorecards.dev/projects/github.com/go-logr/logr": context deadline exceeded

@pnacht
Copy link
Contributor

pnacht commented Jun 15, 2023

Woah, looking into this now!

@thockin
Copy link
Contributor

thockin commented Jun 15, 2023 via email

@pnacht
Copy link
Contributor

pnacht commented Jun 15, 2023

Can you try simply re-running the failed run? Just follow that link and, on the "..." menu on the right side of the page, click "Re-run failed jobs".

I just tried running it on my own fork and some other active projects that have installed the Action and it worked fine... regardless, I'll report this to the Scorecard team.

@thockin
Copy link
Contributor

thockin commented Jun 15, 2023

Re-running it was OK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@pnacht pnacht pnacht left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@pohly pohly

@thockin thockin

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pohly @thockin @pnacht