ossf · naveensrinivasan · Feb 23, 2023 · Feb 24, 2023 · Feb 24, 2023 · Feb 27, 2023
diff --git a/.github/workflows/publish-dependency-image.yml b/.github/workflows/publish-dependency-image.yml
@@ -0,0 +1,45 @@
+name: Publish Dependency Analysis Docker image
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-dependency-analysis
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          context: .
+          push: true
+          file: ./Dockerfile-dependency-analysis
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/Dockerfile-dependency-analysis b/Dockerfile-dependency-analysis
@@ -0,0 +1,35 @@
+# Copyright 2023 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Testing: docker run -e GITHUB_REPOSITORY_OWNER=naveensrinivasan \
+# -e GITHUB_REPOSITORY=scorecard-action \
+# -e GITHUB_SHA=3fd6b13799a3e63276d0913fefa90c0e9ca32e31 \
+# -e GITHUB_TOKEN=GH_TOKEN \
+# -e GITHUB_PR_NUMBER=9 \
+
+#v1.19 go
+FROM golang:1.19.5@sha256:bb9811fad43a7d6fd2173248d8331b2dcf5ac9af20976b1937ecd214c5b8c383 AS builder
+WORKDIR /
+ENV CGO_ENABLED=0
+COPY go.mod go.sum ./
+COPY dependency-analysis/*.go /
+
+FROM builder AS build
+ARG TARGETOS
+ARG TARGETARCH
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o /dependency-analysis /
+
+FROM gcr.io/distroless/base@sha256:122585ba4c098993df9f8dc7285433e8a19974de32528ee3a4b07308808c84ce
+COPY --from=build /dependency-analysis /dependency-analysis
+ENTRYPOINT ["/dependency-analysis"]
diff --git a/dependency-analysis/README.md b/dependency-analysis/README.md
@@ -0,0 +1,16 @@
+# OpenSSF Dependency Analysis
+
+This repository contains the source code for the OpenSSF Dependency Analysis project.
+
+## Overview
+The OpenSSF Dependency Analysis project is to check the security posture of a project's dependencies. 
+It uses  https://docs.github.com/en/rest/dependency-graph/dependency-review?apiVersion=2022-11-28#get-a-diff-of-the-dependencies-between-commits
+to get the dependencies of a project and then uses https://api.securityscorecards.dev to get the security posture of the dependencies.
+https://github.com/ossf/scorecard-action/issues/1070
+
+## Usage
+The project is a GitHub Action that can be used in a workflow. The workflow can be triggered on a push or pull request event.
+
+This will run the action on the latest commit on the default branch of the repository and will create a comment on the pull request with the results of the analysis.
+
+Something like this: https://github.com/ossf-tests/vulpy/pull/2#issuecomment-1442310469
diff --git a/dependency-analysis/action.yaml b/dependency-analysis/action.yaml
@@ -0,0 +1,23 @@
+# Copyright 2023 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Action syntax: https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions.
+
+name: "OSSF Scorecard dependency analysis"
+description: "Run OSSF Scorecard dependency analysis on your repository to get quality metrics on your dependencies."
+author: "OSSF - github.com/ossf/scorecard"
+
+runs:
+  using: "docker"
+  image: "docker://ghcr.io/ossf/scorecard-action-dependency-analysis:latest"