✨ Add policy file #1002

laurentsimon · 2021-09-11T01:06:55Z

Please check if the PR fulfills these requirements

Tests for the changes have been added (for bug fixes / features)
PR title follows the guidelines defined in https://github.com/ossf/scorecard/blob/main/CONTRIBUTING.md#pr-process

What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
feature
What is the current behavior? (You can also link to an open issue here)
no policy support
What is the new behavior (if this is a feature change)?
policy file loaded - no effect yet
Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)
no
Other information:

naveensrinivasan · 2021-09-12T19:18:59Z

Sorry, I am still not clear with this feature. What does the policy file do?

laurentsimon · 2021-09-13T18:57:59Z

Sorry, I am still not clear with this feature. What does the policy file do?

PR still in Draft mode. TL:DR: the policy file will allow users to specify a minimum score for each check in order to customize the results and get a Pass/Fail per check.

The first use case is for SARIF in GitHub action: to allow users to define a minimum score; and be alerted if it's violated. Over time, we expect users to increase the minimum score to improve their security posture.

naveensrinivasan · 2021-09-14T13:27:46Z

Sorry, I am still not clear with this feature. What does the policy file do?

PR still in Draft mode. TL:DR: the policy file will allow users to specify a minimum score for each check in order to customize the results and get a Pass/Fail per check.

The first use case is for SARIF in GitHub action: to allow users to define a minimum score; and be alerted if it's violated. Over time, we expect users to increase the minimum score to improve their security posture.

Thanks

laurentsimon · 2021-09-14T15:35:36Z

policy/policy.go

+//nolint:govet
+type CheckPolicy struct {
+	Score int    `yaml:"score"`
+	Mode  string `yaml:"mode"`


I will add a Risk to this structure later. I will use the default doc risk or the policy risk if a policy is provided.
Main blocker here is doc link: to accommodate for dynamic risk, we need a proper doc web page and pass the risk as GET params. I'll add this to the doc soon.

policy/policy.go

policy/policy_test.go

main.go

cmd/root.go

laurentsimon · 2021-09-22T00:24:31Z

@azeemsgoogle I've addressed the comments. Can you take a second look?

cmd/root.go

azeemshaikh38 · 2021-09-22T00:40:46Z

cmd/root.go

+)
+
+func readPolicy() *spol.ScorecardPolicy {
+	if policyFile != "" {


No need for checking if the file is empty. Its already done on caller side.

cmd/root.go

azeemshaikh38 · 2021-09-22T00:46:46Z

policy/policy.proto

+        ENFORCED = 1;
+    }
+
+    Mode mode = 1;


Nit: a bool named enforced will do?

what if we add more modes later? I think a bool is compatible with an int which is compatible with enum, so bool -> enum conversion would work if we ever need to add other modes. So I think it's safe to use bool. Agreed? It does not hurt to keep enum, though.

policy/policy.proto

azeemshaikh38

LGTM with comments

laurentsimon marked this pull request as draft September 11, 2021 01:07

laurentsimon mentioned this pull request Sep 13, 2021

Can severity be integrated with score #894

Closed

laurentsimon force-pushed the feat/enforce branch from 68e031e to 4c322c5 Compare September 14, 2021 14:35

laurentsimon marked this pull request as ready for review September 14, 2021 14:36

laurentsimon requested review from naveensrinivasan and azeemshaikh38 September 14, 2021 14:37

laurentsimon commented Sep 14, 2021

View reviewed changes