feat: add plugin support for OpenSSF Scorecard CLI #525
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR adds plugin support for OpenSSF's Scorecard CLI targeting GitHub repositories. I specifically opted for their support to authenticate as a GitHub app rather than using personal access tokens that tend to never expire.
This involves using the private key, app ID, and installation ID for GitHub's documented flow where a signed JWT is exchanged for the temporary installation access token.
scorecardexpects a file path to the private key, so I've used the SDK's file provisioner to load the PEM formatted private key.Type of change
How To Test
Create a new GitHub app under your account settings (https://github.com/settings/apps)
Disable the webhook setting
Under "Permissions" and then "Repository permissions" grant the following:
I believe this is everything required for scorecard to complete its scan successfully, but there may be more required. It's outside of the scope for
opto define though.Keep "Only on this account" checked
Finish up & click "Create GitHub App"
Once created, you'll automatically be taken to your app's settings page
Make note of of the "App ID" (the entirely numeric value, not the Client ID)
Scroll down and click "Generate a private key" (this should automatically download the PEM file to your system)
Scroll back up to the top of the page and click "Install App". Install the application on your account.
Make note of the installation number in the URL once completed:
https://github.com/settings/installations/<your-installation-id-here>Create a new 1Password credential with three values:
key: upload the private key downloaded in the earlier stepApp ID: copy your app ID from step 7 here (it does not need to be secret)Installation ID: copy your installation ID from step 10 here (it does not need to be secret)Initialize the plugin
op plugin init scorecardSearch for the credential you created (you may be prompted to rename the private key field if you used the SSH Key credential type in 1Password)
Test scanning one of your repos:
scorecard --repo=https://github.com/<username>/<repo-name>Changelog
Authenticate with GitHub as a GitHub App with OpenSSF's Scorecard CLI using the new
scorecardplugin to assess your repositories' security best practices.