If you'd like to add a check, make sure it meets the following criteria and then create a new GitHub Issue to discuss with the team:
- The scorecard must only be composed of automate-able, objective data. For example, a project having 10 contributors doesn’t necessarily mean it’s more secure than a project with 50 contributors. But, having two maintainers might be preferable to only having one - the larger bus factor and ability to provide code reviews is objectively better.
- The scorecard criteria can be as specific as possible and are not limited to general recommendations. For example, for Go, we can recommend/require specific linters and analyzers to be run on the codebase.
- The scorecard can be populated for any open source project without any work or interaction from maintainers.
- Maintainers must be provided with a mechanism to correct any automated scorecard findings they feel were made in error, provide "hints" for anything we can't detect automatically, and even dispute the applicability of a given scorecard finding for that repository.
- Any criteria in the scorecard must be actionable. It should be possible, with help, for any project to "check all the boxes".
- Any solution to compile a scorecard should be usable by the greater open source community to monitor upstream security.
The steps to writing a check are as follows:
-
Create a file under the
checks/folder, saychecks/mycheck.go -
Give the check a name and register the check:
// Note: export the name by starting it with an upper-case letter. const CheckMyCheckName string = "My-Check" func init() { registerCheck(CheckMyCheckName, EntryPointMyCheck) }
-
Log useful information with
checker.DetailLogger:- Use
checker.DetailLogger.Warn()to provide detail on low-score results. This is shown when the user supplies theshow-resultsoption. - Use
checker.DetailLogger.Info()to provide detail on high-score results. This is shown when the user supplies theshow-resultsoption. - Use
checker.DetailLogger.Debug()to provide detail in verbose mode: this is shown only when the user supplies the--verbosity Debugoption. - If your message relates to a file, try to provide information such as
the
Path, line numberOffsetandSnippet.
- Use
-
If the check fails in a way that is irrecoverable, return a result with the
checker.CreateRuntimeErrorResult()function. For example, if an error is returned from an API you call, use this function. -
Create the result of the check as follows:
- Always provide a high-level sentence explaining the check's result/score.
- If the check runs properly but is unable to determine a score, use
checker.CreateInconclusiveResult(). - For proportional results, use
checker.CreateProportionalScoreResult(). - For maximum and minimum scores, use
checker.CreateMaxScoreResult()andchecker.CreateMinScoreResult(), respectively. - If you need more flexibility and need to set a specific score, use
checker.CreateResultWithScore()with one of the constants declared, such aschecker.HalfResultScore.
-
Dealing with errors: see errors/errors.md.
-
Create unit tests for low, high and inconclusive scores. Put them in a file
checks/mycheck_test.go. -
Create e2e tests in
e2e/mycheck_test.go. Use a dedicated repo that will not change over time, so that it's reliable for the tests. -
Update the
docs/checks/internal/checks.yamlwith a description of your check. -
Generate
docs/check.mdusingmake generate-docs. This will validate and generatedocs/check.md. -
Update the README.md with a short description of your check.
For actual examples, look at checks/binary_artifact.go, checks/code_review.go and checks/pinned_dependencies.go.