README: show of OpenSSF Scorecard badge #187
Conversation
README.md
Outdated
| @@ -1,6 +1,7 @@ | |||
| # A minimal logging API for Go | |||
|
|
|||
| [](https://pkg.go.dev/github.com/go-logr/logr) | |||
| [](https://api.securityscorecards.dev/projects/github.com/go-logr/logr) | |||
There was a problem hiding this comment.
This is exactly the snipped from https://github.com/ossf/scorecard#scorecard-badges. However, it links to a URL which just returns some JSON. Wouldn't it be better to use a link which shows some human-friendly rendering?
@pnacht: you used https://deps.dev/go/github.com%2Fgo-logr%2Flogr for that. Is that a link that we can use here?
There was a problem hiding this comment.
Yep! However, I'd actually suggest you use the new version meant to replace that json dump. It hasn't been officially released yet (just waiting to add a few more input modes, see ossf/scorecard-webapp#415), but already works:
https://securityscorecards.dev/viewer/?platform=github.com&org=go-logr&repo=logr
This page is focused solely on Scorecard results. deps.dev has more information regarding dependencies and dependents, but only shows a subset of Scorecard scores (there are 18 checks in total, all of which can be seen in the link above, but deps.dev only shows 9).
There was a problem hiding this comment.
I've switched to that.
With the recent enabling of Scorecard updates, the badge accurately reflects the current status. Let's show it...
582399a to
387c16f
Compare
|
error processing signature: executing scorecard-api call: Post "https://api.securityscorecards.dev/projects/github.com/go-logr/logr": context deadline exceeded |
|
Woah, looking into this now! |
|
Now that we put a number on it, I'd be happy to drive the number up (e.g.
Dependabot)
…On Thu, Jun 15, 2023 at 9:38 AM Pedro Nacht ***@***.***> wrote:
Woah, looking into this now!
—
Reply to this email directly, view it on GitHub
<#187 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKWAVGYWSJL5WAJQ7VPIULXLM277ANCNFSM6AAAAAAZHL5YSM>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>
|
|
Can you try simply re-running the failed run? Just follow that link and, on the "..." menu on the right side of the page, click "Re-run failed jobs". I just tried running it on my own fork and some other active projects that have installed the Action and it worked fine... regardless, I'll report this to the Scorecard team. |
|
Re-running it was OK. |
With the recent enabling of Scorecard updates, the badge accurately reflects the current status. Let's show it...