Skip to content

feat(scorecard): add OpenSSF scorecard #1952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
christoph-jerolimov merged 14 commits into from
Jan 7, 2026
Merged

feat(scorecard): add OpenSSF scorecard #1952

christoph-jerolimov merged 14 commits into from
Jan 7, 2026

Conversation

@alizard0
Copy link
Member

@alizard0 alizard0 commented Dec 12, 2025
edited
Loading

  1. Implemented abstract openssf metric provider, its implementations are added to a list in runtime.
  2. Implemented OpenSSF Client (with only one GET request)
  3. Implemented tests
  4. Review the thresholds
  5. Perform end-to-end tests (using frontend)
Screenshot 2025-12-22 at 11 31 10

@rhdh-gh-app
Copy link

rhdh-gh-app bot commented Dec 12, 2025
edited
Loading

Important

This PR includes changes that affect public-facing API. Please ensure you are adding/updating documentation for new features or behavior.

Missing Changesets

The following package(s) are changed by this PR but do not have a changeset:

  • @red-hat-developer-hub/backstage-plugin-scorecard-backend

See CONTRIBUTING.md for more information about how to add changesets.

Changed Packages

Package Name Package Path Changeset Bump Current Version
backend workspaces/scorecard/packages/backend none v0.0.0
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-openssf workspaces/scorecard/plugins/scorecard-backend-module-openssf minor v0.0.0
@red-hat-developer-hub/backstage-plugin-scorecard-backend workspaces/scorecard/plugins/scorecard-backend none v2.2.0

JessicaJHee
JessicaJHee reviewed Dec 16, 2025
View reviewed changes
Copy link
Member

@JessicaJHee JessicaJHee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great so far and works! Left a suggestion here, PTAL!

@dzemanov
Copy link
Member

dzemanov commented Dec 17, 2025

Thank you for the PR!

I have only a couple of questions:

  1. Default thresholds for numbers are set to following values: <10 success, 10-50 warning, >50 error. Do these thresholds need to be adjusted for openssf metrics, I see the resulting score should be out of 10, -1 is error?
  2. Does it make sense to allow admins to configure in app-config different custom thresholds for openssf metrics, or the same score should be always mapped to the same threshold result (success, warning, error)?

@alizard0 alizard0 changed the title [DRAFT] Add OpenSSF Scorecard Add OpenSSF Scorecard Dec 22, 2025
@alizard0 alizard0 changed the title Add OpenSSF Scorecard feat(scorecard): add OpenSSF scorecard Dec 22, 2025
@alizard0
Copy link
Member Author

alizard0 commented Dec 22, 2025

/retest

@alizard0 alizard0 force-pushed the add-scorecard-backend-module-openssf branch from cec553f to 4eb490d Compare December 22, 2025 16:08
@alizard0
Copy link
Member Author

alizard0 commented Dec 22, 2025

/retest

@alizard0
Copy link
Member Author

alizard0 commented Dec 22, 2025

Quality Gate Failed Quality Gate failed

Failed conditions 11.1% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

I dont agree tbh, the code isn't duplicated. This complains about a list with objects that contains data, the only "duplicated" code is the name of each variable of such objects.

@alizard0
Copy link
Member Author

alizard0 commented Dec 22, 2025

/retest

dzemanov
dzemanov requested changes Dec 23, 2025
View reviewed changes
@alizard0
Throws error when metric score is lower than 0 or higher than 10; Add…
3b7c562 
…ed unit tests; Added documentation; Review work
dzemanov
dzemanov reviewed Dec 23, 2025
View reviewed changes
dzemanov
dzemanov reviewed Dec 23, 2025
View reviewed changes
dzemanov
dzemanov reviewed Dec 23, 2025
View reviewed changes
dzemanov
dzemanov approved these changes Dec 23, 2025
View reviewed changes
Copy link
Member

@dzemanov dzemanov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @alizard0, works great!

Screenshot 2025-12-23 at 16 20 10

@dzemanov
Copy link
Member

dzemanov commented Dec 23, 2025

You will just need to fix prettier:
yarn prettier:fix

@alizard0
Copy link
Member Author

alizard0 commented Dec 26, 2025

/retest

@christoph-jerolimov
Copy link
Member

christoph-jerolimov commented Jan 5, 2026

/override "SonarCloud Code Analysis"

@openshift-ci
Copy link

openshift-ci bot commented Jan 5, 2026

@christoph-jerolimov: Overrode contexts on behalf of christoph-jerolimov: SonarCloud Code Analysis

Details

In response to this:

/override "SonarCloud Code Analysis"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@alizard0 alizard0 force-pushed the add-scorecard-backend-module-openssf branch from 569d252 to 30a5e3b Compare January 5, 2026 16:15
@alizard0 alizard0 force-pushed the add-scorecard-backend-module-openssf branch from 30a5e3b to fa3404c Compare January 7, 2026 08:58
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 7, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
11.1% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

@christoph-jerolimov christoph-jerolimov merged commit 562dcc6 into redhat-developer:main Jan 7, 2026
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JessicaJHee JessicaJHee JessicaJHee left review comments

@christoph-jerolimov christoph-jerolimov christoph-jerolimov approved these changes

@dzemanov dzemanov dzemanov approved these changes

@its-mitesh-kumar its-mitesh-kumar Awaiting requested review from its-mitesh-kumar its-mitesh-kumar is a code owner

@Eswaraiahsapram Eswaraiahsapram Awaiting requested review from Eswaraiahsapram Eswaraiahsapram is a code owner

@ciiay ciiay Awaiting requested review from ciiay

@debsmita1 debsmita1 Awaiting requested review from debsmita1

@karthikjeeyar karthikjeeyar Awaiting requested review from karthikjeeyar

@ydayagi ydayagi Awaiting requested review from ydayagi

@mareklibra mareklibra Awaiting requested review from mareklibra

@batzionb batzionb Awaiting requested review from batzionb

@PreetiW PreetiW Awaiting requested review from PreetiW

@asmasarw asmasarw Awaiting requested review from asmasarw

@divyanshiGupta divyanshiGupta Awaiting requested review from divyanshiGupta

@gciavarrini gciavarrini Awaiting requested review from gciavarrini

@johnmcollier johnmcollier Awaiting requested review from johnmcollier

@gabemontero gabemontero Awaiting requested review from gabemontero

@thepetk thepetk Awaiting requested review from thepetk

@rohitkrai03 rohitkrai03 Awaiting requested review from rohitkrai03

@yangcao77 yangcao77 Awaiting requested review from yangcao77

@Lucifergene Lucifergene Awaiting requested review from Lucifergene

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@alizard0 @dzemanov @christoph-jerolimov @JessicaJHee