This action calculates a security rating or an OSS rule of play rating for an open source project. The rating contains a score and a label. The score is a number from 0 to 10.
It shows how well the project cares about security or open source community/maintenance aspects. The ratings take several aspects into account. You can find all the details regarding the various aspects in the section "What the security rating takes into account" of the security rating documentation and the section "What the OSS rules of play rating takes into account" of the OSS rules of play documentation. Additional information about Fosstars, how the ratings are calculated and related content is available in the documentation as well.
Fosstars uses only publicly available data about open source projects.
The action creates a detailed report that explains how the rating was calculated. In addition, the report contains recommendations for improving the respective rating.
The action generates one of the following badges that reflect the labels of the respective ratings (see security or OSS rules of play):
The report and the badge are stored in a specified branch.
Required The rating this action should determine, can be security or oss-rules-of-play. Default security.
Required A branch where the report and the badge should be stored. Default fosstars.
Required A version of Fosstars
to be used for calculating a rating. Default v1.7.0.
Required A token for fetching data about the project via GitHub API, and for committing the report and badge to the specified branch.
Optional A file name for the report. Default fosstars_report.md.
Optional A file name for the badge. Default fosstars_badge.svg.
Optional A comma-separated list of data provider configuration URLs.
The individual file names need to have the format ProviderClassName.yaml or ProviderClassName.config.yaml.
As some data providers of the OSS Rules of Play rating require configuration files to work correctly, SAP default configuration files are being used if the oss-rules-of-play rating is specified and no configuration URLs are passed to the action.
Here is an example workflow that updates the report every day, or when a commit is pushed.
The report is stored to the fosstars-report branch.
name: "Fosstars"
on:
push:
branches:
- main
schedule:
- cron: "0 0 * * *"
jobs:
create_fosstars_report:
runs-on: ubuntu-latest
name: "Security rating"
steps:
- uses: actions/checkout@v2.3.4
- uses: SAP/fosstars-rating-core-action@v1.0.0
with:
rating: security
report-branch: fosstars-report
report-file: fosstars_security_rating.md
badge-file: fosstars_security_rating.svg
token: ${{ secrets.GITHUB_TOKEN }}
data-provider-config-urls: https://raw.githubusercontent.com/your-org/your-repo/main/conf/ReadmeInfo.config.yml,https://raw.githubusercontent.com/your-org/your-repo/main/conf/ContributingGuidelineInfo.config.yml,https://raw.githubusercontent.com/your-org/your-repo/main/conf/LicenseInfo.config.yml
The badge will be stored to the same branch. It can be used in a README file:
[](https://github.com/your-organisation/your-project/blob/fosstars-report/fosstars_security_rating.md)
Check out an example workflow that runs the action. The workflow stores a report in fosstars-report branch.
Please see GitHub issues.
Please create a new GitHub issue if you found a bug, or you'd like to suggest an enhancement. If you think you found a security issue, please follow this guideline.
If you have a question, please open a discussion.
We appreciate feedback, ideas for improvements and, of course, pull requests.
Please follow this guideline if you'd like to contribute to the project.