This action calculates a security rating for an open source project.
The rating contains a security score and a label. The score is a number from 0 to 10.
It shows how well the project cares about security. The label can be Good
, Moderate
, Bad
and Unclear
.
The rating procedure takes into account multiple factors:
- How well the open source project implements security testing.
- How well the project’s community is aware of best security practices and adopt them.
- How well vulnerabilities are patched in the project.
- How the community commits to supporting the project.
- How active and popular the project is.
Fosstars uses only publicly available data about open source projects.
The action creates a detailed report that explains how the rating was calculated. In addition, the report contains recommendations for improving the security rating.
The action also generates one of the following badges:
The report and the badge are stored in a specified branch.
Required A branch where the report and the badge should be stored. Default fosstars
.
Required A version of Fosstars
to be used for calculating a rating. Default v1.2.0
.
Required A token for fetching data about the project via GitHub API, and for committing the report and badge to the specified branch.
Optional A file name for the report. Default fosstars_report.md
.
Optional A file name for the badge. Default fosstars_badge.svg
.
Here is an example workflow that updates the report every day, or when a commit is pushed.
The report is stored to the fosstars-report
branch.
name: "Fosstars"
on:
push:
branches:
- main
schedule:
- cron: "0 0 * * *"
jobs:
create_fosstars_report:
runs-on: ubuntu-latest
name: "Security rating"
steps:
- uses: actions/checkout@v2.3.4
- uses: SAP/fosstars-rating-core-action@v1.0.0
with:
report-branch: fosstars-report
report-file: fosstars_security_rating.md
badge-file: fosstars_security_rating.svg
token: ${{ secrets.GITHUB_TOKEN }}
The badge will be stored to the same branch. It can be used in a README file:
[![Fosstars security rating](https://raw.githubusercontent.com/your-organisation/your-project/fosstars-report/fosstars-security-rating.svg)](https://github.com/your-organisation/your-project/blob/fosstars-report/fosstars_security_rating.md)
Check out an example workflow that runs the action. The workflow stores a report in fosstars-report branch.
Please see GitHub issues.
Please create a new GitHub issue if you found a bug, or you'd like to suggest an enhancement. If you think you found a security issue, please follow this guideline.
If you have a question, please open a discussion.
We appreciate feedback, ideas for improvements and, of course, pull requests.
Please follow this guideline if you'd like to contribute to the project.