feat(materials): add OSSF_SCORECARD_JSON material type#3212
Conversation
AI Session Analysis
|
| Status | Policy | Material | Messages |
|---|---|---|---|
| ✅ Passed | ai-config-ai-agents-allowed |
ai-coding-session-234a5d |
- |
| ✅ Passed | ai-config-no-dangerous-commands |
ai-coding-session-234a5d |
- |
| ✅ Passed | ai-config-no-secrets |
ai-coding-session-234a5d |
- |
| ✅ Passed | ai-config-mcp-servers-allowed |
ai-coding-session-234a5d |
- |
Powered by Chainloop and Chainloop Trace
d339b75 to
e0c1b16
Compare
There was a problem hiding this comment.
1 issue found and verified against the latest diff
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
Kusari Analysis Results:
No pinned version dependency changes, code issues or exposed secrets detected! Note View full detailed analysis result for more information on the output and the checks that were run.
Found this helpful? Give it a 👍 or 👎 reaction! |
|
Kusari PR Analysis rerun based on - 9e6f5b9 performed at: 2026-06-15T13:23:51Z - link to updated analysis |
There was a problem hiding this comment.
1 issue found across 3 files (changes from recent commits).
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
Add a dedicated material type for ingesting OpenSSF Scorecard V2 JSON reports as first-class evidence. The crafter validates the report against an embedded JSON Schema, uploads it to CAS, and records the Scorecard tool version and aggregate score as material annotations. Closes #427 Assisted-by: Claude Code Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev> Chainloop-Trace-Sessions: 234a5dc3-baba-4c3d-be42-dbabf15c5487
Address review feedback on the OSSF_SCORECARD_JSON crafter:
- Parse the report into a typed struct instead of accessing fields through
a generic map[string]interface{}, removing fragile type assertions.
- Always enforce a discriminating-field guard (scorecard.version) so that
--no-strict-validation no longer lets arbitrary JSON be misclassified as a
Scorecard report and annotated as such.
Also document the typed-struct-over-empty-interface preference in CLAUDE.md.
Assisted-by: Claude Code
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Chainloop-Trace-Sessions: 234a5dc3-baba-4c3d-be42-dbabf15c5487
9e6f5b9 to
48344e8
Compare
Address review feedback: the aggregate score annotation was set unconditionally, so a nonconformant report missing "score" would be misrepresented as score 0 under --no-strict-validation. Make the score field a pointer so an absent score is distinguishable from a real 0.0, and only set the annotation when present. Assisted-by: Claude Code Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev> Chainloop-Trace-Sessions: 234a5dc3-baba-4c3d-be42-dbabf15c5487
Description
Adds a dedicated
OSSF_SCORECARD_JSONmaterial type so OpenSSF Scorecard results can be attested as first-class, structured evidence instead of opaque SARIF.The crafter validates the Scorecard V2 JSON report against an embedded JSON Schema (using the existing
internal/schemavalidatorsmechanism, consistent with the OpenAPI/AsyncAPI/CycloneDX materials), uploads the raw report to CAS, and records the Scorecard tool version and aggregate score as material annotations. It supports--no-strict-validationand participates in material auto-detection.The embedded schema is adapted from OSSF's published
json.v2.schemawithdetails/metadatarelaxed to allownull, matching real-world Scorecard output.Closes #427
AI assistance
This change was produced with the assistance of Claude Code (
Assisted-by: Claude Code).🤖 Posted by Maximus bot (Claude Code) on behalf of @migmartri