Add docs, implement warning behavior

This commit is contained in:
Justin Hutchings
2024-03-08 01:29:53 +00:00
parent 59d4782b76
commit 296bf3ab1b
2 changed files with 20 additions and 0 deletions
+2
View File
@@ -83,6 +83,8 @@ Configure this action by either inlining these options in your workflow file, or
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
| `show-openssf-scorecard-levels` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
\*not supported for use with GitHub Enterprise Server
+18
View File
@@ -154,6 +154,7 @@ async function run(): Promise<void> {
const scorecard = await getScorecardLevels(filteredChanges)
summary.addScorecardToSummary(scorecard, config)
printScorecardBlock(scorecard, config)
createScorecardWarnings(scorecard, config)
}
summary.addScannedDependencies(changes)
@@ -354,4 +355,21 @@ function printDeniedDependencies(
})
}
function createScorecardWarnings(
scorecards: Scorecard,
config: ConfigurationOptions
): void {
// Iterate through the list of scorecards, and if the score is less than the threshold, send a warning
for (const dependency of scorecards.dependencies) {
if (
dependency.scorecard?.score &&
dependency.scorecard?.score < config.warn_on_openssf_scorecard_level
) {
core.warning(
`${dependency.ecosystem}/${dependency.packageName} has an OpenSSF Scorecard of ${dependency.scorecard?.score} is less than this repository's threshold of ${config.warn_on_openssf_scorecard_level}.`
)
}
}
}
run()