-
Notifications
You must be signed in to change notification settings - Fork 515
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
cmd/multi-scorecard: Update installation command and tool history
Signed-off-by: Stephen Augustus <[email protected]>
- Loading branch information
1 parent
f2e1f6b
commit a002868
Showing
1 changed file
with
16 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,29 +1,30 @@ | ||
| # Multi Scorecard | ||
| # `multi-scorecard` | ||
|
|
||
| This program runs [OpenSSF Scorecard](https://github.com/ossf/scorecard) over | ||
| many repositories using a [GitHub | ||
| App](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps) | ||
| credential. GitHub is queried to determine the orgs and repos the app is | ||
| installed on to determine which repos to run Scorecard over. Results are | ||
| printed to stdout in a JSON array. | ||
| This program runs OpenSSF Scorecard over many repositories using a [GitHub App](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps) credential. | ||
| GitHub is queried to determine the orgs and repos the app is installed on to determine which repos to run Scorecard over. | ||
|
|
||
| Results are printed to stdout in a JSON array. | ||
|
|
||
| *`multi-scorecard` was originally featured as part of [Jeff Mendoza](https://github.com/jeffmendoza) and [Stephen Augustus](https://github.com/justaugustus)' SOSS Fusion talk, "Scorecard at Scale: Old and New Possibilities for Lifting Security on All Repositories".* | ||
|
|
||
| - [Session page with slides](https://sched.co/1hcPq) | ||
| - [Session recording](https://youtu.be/-XZqbO3hGcw?si=eGicz0sjgiIRhol4) | ||
| - [Previous source repository](https://github.com/jeffmendoza/multi-scorecard) | ||
|
|
||
| ## Usage | ||
|
|
||
| A [GitHub | ||
| App](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps) | ||
| must be created and installed on the repositories you wish to scan. | ||
| A [GitHub App](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps) must be created and installed on the repositories you wish to scan. | ||
|
|
||
| To install: | ||
|
|
||
| ``` | ||
| go get github.com/jeffmendoza/multi-scorecard@latest | ||
| ```console | ||
| go get github.com/ossf/scorecard/cmd/multi-scorecard@multi-scorecard | ||
| ``` | ||
|
|
||
| To run: | ||
|
|
||
| ``` | ||
| ```console | ||
| multi-scorecard -appid 1234 -keyfile my-app.private-key.pem > results.json | ||
| ``` | ||
|
|
||
| Where `1234` is the App ID of the app, and `my-app.private-key.pem` is the | ||
| private key file of the app. | ||
| Where `1234` is the App ID of the app, and `my-app.private-key.pem` is the private key file of the app. |