ossf · naveensrinivasan · Feb 23, 2023 · Feb 24, 2023 · Feb 24, 2023 · Feb 27, 2023
diff --git a/.github/workflows/publish-dependency-image.yml b/.github/workflows/publish-dependency-image.yml
@@ -0,0 +1,45 @@
+name: Publish Dependency Analysis Docker image
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-dependency-analysis
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          context: .
+          push: true
+          file: ./Dependency-analysis.dockerfile
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/Dependency-analysis.dockerfile b/Dependency-analysis.dockerfile
@@ -0,0 +1,35 @@
+# Copyright 2023 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Testing: docker run -e GITHUB_REPOSITORY_OWNER=naveensrinivasan \
+# -e GITHUB_REPOSITORY=scorecard-action \
+# -e GITHUB_SHA=3fd6b13799a3e63276d0913fefa90c0e9ca32e31 \
+# -e GITHUB_TOKEN=GH_TOKEN \
+# -e GITHUB_PR_NUMBER=9 \
+
+#v1.19 go
+FROM golang:1.19.5@sha256:bb9811fad43a7d6fd2173248d8331b2dcf5ac9af20976b1937ecd214c5b8c383 AS builder
+WORKDIR /
+ENV CGO_ENABLED=0
+COPY go.mod go.sum ./
+COPY dependency-analysis/*.go /
+
+FROM builder AS build
+ARG TARGETOS
+ARG TARGETARCH
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o /dependency-analysis /
+
+FROM gcr.io/distroless/base@sha256:122585ba4c098993df9f8dc7285433e8a19974de32528ee3a4b07308808c84ce
+COPY --from=build /dependency-analysis /dependency-analysis
+ENTRYPOINT ["/dependency-analysis"]
diff --git a/dependency-analysis/README.md b/dependency-analysis/README.md
@@ -0,0 +1,58 @@
+# OpenSSF Scorecard Dependency Analysis
+
+This repository contains the source code for the OpenSSF Dependency Analysis project. The aim of the project is to check the security posture of a project's dependencies using the [GitHub Dependency Graph API](https://docs.github.com/en/rest/dependency-graph/dependency-review?apiVersion=2022-11-28#get-a-diff-of-the-dependencies-between-commits) and the [Security Scorecards API](https://api.securityscorecards.dev).
+
+## Usage
+The OpenSSF Dependency Analysis is a GitHub Action that can be easily incorporated into a workflow. 
+The workflow can be triggered on a pull request event. 
+The action will run on the latest commit on the default branch of the repository, and will create a comment on the pull request with the results of the analysis. 
+An example of the comment can be found [here](https://github.com/ossf-tests/vulpy/pull/2#issuecomment-1442310469).
+
+## Prerequisites
+The actions require enabling the [GitHub Dependency Review](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) for the repository.
+
+### Configuration
+The action can be configured using the following inputs:
+
+- `SCORECARD_CHECKS`: This environment variable takes a file containing a list of checks to run. 
+- The file should be in JSON format and follow the format provided by the [Scorecard checks documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md). For example:
+```json
+[
+  "Binary-Artifacts",
+  "Pinned-Dependencies"
+] 
+```
+
+### Installation
+The action can be installed by adding the following snippet to the workflow file:
+```yaml
+name: scorecard-dependency-analysis
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+permissions:
+  pull-requests: write # Required to create a comment on the pull request.
+
+jobs:
+  dependency-analysis:
+    name: Scorecards dependency analysis
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_PR_NUMBER: ${{ github.event.number }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      GITHUB_REPOSITORY: ${{ github.repository }}
+      GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
+      GITHUB_SHA: ${{ github.sha }}
+      GITHUB_ACTOR: ${{ github.actor }}
+
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          persist-credentials: false
+
+      - name: Run dependency analysis
+        uses: ossf/scorecard-action/dependency-analysis@main # Replace with the latest release version.
+```
diff --git a/dependency-analysis/action.yaml b/dependency-analysis/action.yaml
@@ -0,0 +1,23 @@
+# Copyright 2023 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Action syntax: https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions.
+
+name: "OSSF Scorecard dependency analysis"
+description: "Run OSSF Scorecard dependency analysis on your repository to get quality metrics on your dependencies."
+author: "OSSF - github.com/ossf/scorecard"
+
+runs:
+  using: "docker"
+  image: "docker://ghcr.io/ossf/scorecard-action-dependency-analysis:latest"