Giters

mibo / fosstars-rating-core-action

A GitHub action for calculating Fosstars security ratings.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

REUSE status

Fosstars ratings

This action calculates a security rating for an open source project. The rating contains a security score and a label. The score is a number from 0 to 10. It shows how well the project cares about security. The label can be Good, Moderate, Bad and Unclear.

The rating procedure takes into account multiple factors:

  • How well the open source project implements security testing.
  • How well the project’s community is aware of best security practices and adopt them.
  • How well vulnerabilities are patched in the project.
  • How the community commits to supporting the project.
  • How active and popular the project is.

Fosstars uses only publicly available data about open source projects.

The action creates a detailed report that explains how the rating was calculated. In addition, the report contains recommendations for improving the security rating.

The action also generates one of the following badges:

  • Good security rating
  • Moderate security rating
  • Bad security rating
  • Unclear security rating
  • Unknown security rating

The report and the badge are stored in a specified branch.

Inputs

report-branch

Required A branch where the report and the badge should be stored. Default fosstars.

fosstars-version

Required A version of Fosstars to be used for calculating a rating. Default v1.2.0.

token

Required A token for fetching data about the project via GitHub API, and for committing the report and badge to the specified branch.

report-file

Optional A file name for the report. Default fosstars_report.md.

badge-file

Optional A file name for the badge. Default fosstars_badge.svg.

How to use it

Here is an example workflow that updates the report every day, or when a commit is pushed. The report is stored to the fosstars-report branch.

name: "Fosstars"
on:
  push:
    branches:
      - main
  schedule:
    - cron: "0 0 * * *"

jobs:
  create_fosstars_report:
    runs-on: ubuntu-latest
    name: "Security rating"
    steps:
      - uses: actions/checkout@v2.3.4
      - uses: SAP/fosstars-rating-core-action@v1.0.0
        with:
          report-branch: fosstars-report
          report-file: fosstars_security_rating.md
          badge-file: fosstars_security_rating.svg
          token: ${{ secrets.GITHUB_TOKEN }}

The badge will be stored to the same branch. It can be used in a README file:

[![Fosstars security rating](https://raw.githubusercontent.com/your-organisation/your-project/fosstars-report/fosstars-security-rating.svg)](https://github.com/your-organisation/your-project/blob/fosstars-report/fosstars_security_rating.md)

Example

Check out an example workflow that runs the action. The workflow stores a report in fosstars-report branch.

Known issues

Please see GitHub issues.

Support

Please create a new GitHub issue if you found a bug, or you'd like to suggest an enhancement. If you think you found a security issue, please follow this guideline.

If you have a question, please open a discussion.

Contributing

We appreciate feedback, ideas for improvements and, of course, pull requests.

Please follow this guideline if you'd like to contribute to the project.

Links

  1. Fosstars home page
  2. Fosstars documentation
  3. Open source security rating
  4. Security ratings for well-known open source projects

About

A GitHub action for calculating Fosstars security ratings.

License:Apache License 2.0

Languages

Language:Shell 92.9%Language:Dockerfile 7.1%