scorecard: Add results file output for scorecard-monitor integration#800
Open
justaugustus wants to merge 2 commits intoevidence-uploadfrom
Open
scorecard: Add results file output for scorecard-monitor integration#800justaugustus wants to merge 2 commits intoevidence-uploadfrom
scorecard-monitor integration#800justaugustus wants to merge 2 commits intoevidence-uploadfrom
Conversation
Add a -results-file flag that writes all Scorecard results as a JSON array in Scorecard's native JSON v2 format. This enables integration with scorecard-monitor's local-results-path input for org-wide dashboard reporting. Implementation: - collectResult() serializes each repo's sc.Result via AsJSON2() and stores it in a package-level collector (mutex-protected, same pattern as sarifHashMap) - WriteResults(path) writes all collected results as a JSON array - main.go calls WriteResults() after EnforceAll() when -results-file is set Uses Scorecard's own JSONScorecardResultV2 type — no custom format. The output includes aggregate scores (computed via GetAggregateScore), per-check scores, repo name, commit SHA, and timestamps. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
dosubot
bot
added
the
size:M
Remove unnecessary comments that reference downstream tools or restate obvious Go conventions. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
4 tasks
justaugustus
changed the title
scorecard-monitor integration
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a
-results-fileflag that writes Scorecard results in Scorecard JSON v2 format, enabling integration with scorecard-monitor for org-wide dashboard reporting.Motivation
After implementing SARIF upload to GitHub Code Scanning (the
evidence-uploadbranch), the next integration point is feeding Allstar results into scorecard-monitor for trend tracking and reporting. scorecard-monitor is adding aresults-pathinput (ossf/scorecard-monitor#90) that can consume Scorecard results from a file instead of querying the public API.Design
Uses Scorecard's own
JSONScorecardResultV2format viaResult.AsJSON2()— no custom format. This ensures compatibility with scorecard-monitor and any other tool that consumes Scorecard JSON output.Results are collected at the policy level (scorecard package) using a mutex-protected collector, following the same pattern as
sarifHashMap. The main binary callsWriteResults()afterEnforceAll()completes.Usage
Output is an array of Scorecard JSON v2 objects — one per scanned repo.
Related PRs
results-pathinput to scorecard-monitor (consuming end)evidence-uploadbranch (SARIF upload feature)Test plan
go vetclean🤖 Generated with Claude Code