Use sbom-scorecard in GH action to catch regressions? #3457
Comments
|
I rather like this idea. For a simple first step, we can make it part of our CI. Just generate the scorecard for now right after we generate the sbom and report the results. Do we do things like this for code quality or other CI steps that have quantitative scores? We generate the Unsure if I would make it part of the |
|
@eriknordmark this would be a good addition for the SBOM stuff. @deitch IMHO it should be the part of github actions - it would be quite simple and efficient to manage then. |
|
I'm pretty sure you set up a make target that reports the path to the sbom file, so easy enough to get the path to pass to the action |
|
I don't know what part to put in the Makefile and in some workflow file, but it would be good to do it so the full scorecard diffs are captured in the workflow output so one can see the nature of any regression (license regression vs something else) |
Use case
This tool might be very useful to catch regressions. It does score based on the number of packages which does not have licences, but it doesn't seem to care about what license it has. But still good to catch regressions using a workflow to compare a PR against a master.
Describe the solution you'd like
I tried this:
Downloaded from
https://github.com/eBay/sbom-scorecard
Then e.g.,
docker run --rm lfedge/eve:10.4.0-kvm-amd64 sbom >/tmp/10.4.0.spdx
sbom-scorecard score --outputFormat json /tmp/10.4.0.spdx | jq .Total.Ratio
0.916791
The text was updated successfully, but these errors were encountered: