add OSSF Scorecard Report workflow

Signed-off-by: Brandon Yee <[email protected]>
DSACMS · Aug 1, 2024 · 67bb12a · 67bb12a
1 parent effeccf
commit 67bb12a
Show file tree

Hide file tree

Showing 3 changed files with 84 additions and 0 deletions.
diff --git a/.github/workflows/scorecard_internal.yml b/.github/workflows/scorecard_internal.yml
@@ -0,0 +1,39 @@
+name: Generate OSSF Scorecard Report for Internal Repositories
+
+on:
+    workflow_dispatch: {}
+    schedule:
+        # Weekly on Saturdays.
+        - cron: "30 1 * * 6"
+
+jobs:
+    update:
+        strategy:
+            matrix:
+                orgs: ["DSACMS", "Enterprise-CMCS", "CMS-Enterprise", "CMSgov"]
+            max-parallel: 1
+        permissions: write-all
+        name: update
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v4
+            - uses: actions/setup-go@v5
+            - name: Install OSSF CLI
+              run: docker pull gcr.io/openssf/scorecard:stable
+            - name: Run OSSF Scorecard Report script
+              run: ./scripts/scorecard_internal.sh ${{ matrix.orgs }}
+              env:
+                  GITHUB_TOKEN: ${{ secrets.METRICS_GITHUB_TOKEN }}
+            - name: Commit changes
+              run: |
+                  git config user.name 'GitHub Actions'
+                  git config user.email '[email protected]'
+                  git pull
+                  git add -A
+                  timestamp=$(date -u)
+                  git commit -m "update ${{ matrix.orgs }} data: ${timestamp}" || exit 0
+            - name: Push to ${{ github.ref_name }}
+              uses: CasperWA/push-protected@v2
+              with:
+                  token: ${{ secrets.METRICS_GITHUB_TOKEN }}
+                  branch: ${{ github.ref_name }}
diff --git a/.gitignore b/.gitignore
@@ -22,3 +22,4 @@ scripts/__pycache__
 # SCC COCOMO
 scripts/scc_repos/
 scripts/scc_reports/
+scripts/ossf_reports/
diff --git a/scripts/scorecard_internal.sh b/scripts/scorecard_internal.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+organization="$1"
+VERBOSE="${VERBOSE:-0}"
+
+if [ -z "$organization" ]; then
+	echo "Error: Organization name is required."
+	echo "Usage: ./script.sh ORGANIZATION_NAME"
+	exit 1
+fi
+
+if [[ -z "$GITHUB_TOKEN" ]]; then
+	echo "Error: GITHUB_TOKEN environment variable is required."
+	exit 1
+fi
+
+# set up working directory
+cd scripts/
+
+repo_paths=$(jq -r '."Open Source Projects"."'"$organization"'"[]' _metadata/projects_tracked.json)
+
+# set up directories
+mkdir -p ossf_reports/
+
+for repo_path in $repo_paths; do
+	[ "$VERBOSE" -eq 1 ] && echo "Processing repository: $repo_path"
+
+	repo_name=$(basename $repo_path)
+
+	# run OSSF CLI
+	docker run -e GITHUB_TOKEN gcr.io/openssf/scorecard:stable --repo=$repo_path --format=json >"ossf_reports/${repo_name}.json"
+
+	# combine OSSF CLI results with repo metadata
+	jq -s '.[0] + {ossf_scorecard: .[1]}' "../app/site/_data/$organization/$repo_name/${repo_name}_data.json" "ossf_reports/${repo_name}.json" >"../app/site/_data/$organization/$repo_name/${repo_name}_ossf.json"
+	mv "../app/site/_data/$organization/$repo_name/${repo_name}_ossf.json" "../app/site/_data/$organization/$repo_name/${repo_name}_data.json"
+
+	[ "$VERBOSE" -eq 1 ] && echo "Done processing repository: $repo_path"
+done
+
+# clean up
+rm -rf ossf_reports/
+
+# print success message
+echo "All repositories processed successfully for organization: $organization"