Update Scorecard API usage

ossf · Jun 6, 2022 · a9f6a91 · a9f6a91
1 parent 8e9099b
commit a9f6a91
Show file tree

Hide file tree

Showing 4 changed files with 83 additions and 7 deletions.
diff --git a/Dockerfile.golang b/Dockerfile.golang
@@ -0,0 +1,51 @@
+# Copyright 2021 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Testing: docker run -e GITHUB_REF=refs/heads/main \
+#           -e GITHUB_EVENT_NAME=branch_protection_rule \
+#           -e INPUT_RESULTS_FORMAT=sarif \
+#           -e INPUT_RESULTS_FILE=results.sarif \
+#           -e GITHUB_WORKSPACE=/ \
+#           -e INPUT_POLICY_FILE="/policy.yml" \
+#           -e INPUT_REPO_TOKEN=$GITHUB_AUTH_TOKEN \
+#           -e GITHUB_REPOSITORY="ossf/scorecard" \
+#           laurentsimon/scorecard-action:latest
+
+#v1.17 go
+FROM golang@sha256:bd9823cdad5700fb4abe983854488749421d5b4fc84154c30dae474100468b85 AS base
+WORKDIR /src
+ENV CGO_ENABLED=0
+COPY go.* ./
+RUN go mod download
+COPY . ./
+
+FROM base AS build
+ARG TARGETOS
+ARG TARGETARCH
+RUN CGO_ENABLED=0 make build
+
+# TODO: use distroless:
+# FROM gcr.io/distroless/base:nonroot@sha256:02f667185ccf78dbaaf79376b6904aea6d832638e1314387c2c2932f217ac5cb
+FROM debian:11.3-slim@sha256:78fd65998de7a59a001d792fe2d3a6d2ea25b6f3f068e5c84881250373577414
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    # For debugging.
+    jq ca-certificates curl
+COPY --from=build /src/scorecard-action /
+
+# Copy a test policy for local testing.
+COPY policies/template.yml  /policy.yml
+
+ENTRYPOINT [ "/scorecard-action" ]
diff --git a/cloudbuild.yaml b/cloudbuild.yaml
@@ -0,0 +1,21 @@
+# Copyright 2021 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+steps:
+- name: 'gcr.io/cloud-builders/docker'
+  args: ['build', '.',
+    '-t', 'gcr.io/openssf/scorecard-action:latest',
+    '-t', 'gcr.io/openssf/scorecard-action:$COMMIT_SHA',
+    '-f', 'Dockerfile.golang']
+images: ['gcr.io/openssf/scorecard-action']
diff --git a/main.go b/main.go
@@ -48,7 +48,8 @@ func main() {
 		// Processes json results.
 		repoName := os.Getenv(options.EnvGithubRepository)
 		repoRef := os.Getenv(options.EnvGithubRef)
-		if err := signing.ProcessSignature(jsonPayload, repoName, repoRef); err != nil {
+		accessToken := os.Getenv(options.EnvInputRepoToken)
+		if err := signing.ProcessSignature(jsonPayload, repoName, repoRef, accessToken); err != nil {
 			log.Fatalf("error processing signature: %v", err)
 		}
 	}

diff --git a/signing/signing.go b/signing/signing.go
@@ -86,12 +86,17 @@ func GetJSONScorecardResults() ([]byte, error) {
 }
 
 // ProcessSignature calls scorecard-api to process & upload signed scorecard results.
-func ProcessSignature(jsonPayload []byte, repoName, repoRef string) error {
+func ProcessSignature(jsonPayload []byte, repoName, repoRef, accessToken string) error {
 	// Prepare HTTP request body for scorecard-webapp-api call.
+	// TODO: Use the `ScorecardResult` struct from `scorecard-webapp`.
 	resultsPayload := struct {
-		JSONOutput string
+		Result      string `json:"result"`
+		Branch      string `json:"branch"`
+		AccessToken string `json:"accessToken"`
 	}{
-		JSONOutput: string(jsonPayload),
+		Result:      string(jsonPayload),
+		Branch:      repoRef,
+		AccessToken: accessToken,
 	}
 
 	payloadBytes, err := json.Marshal(resultsPayload)
@@ -101,13 +106,11 @@ func ProcessSignature(jsonPayload []byte, repoName, repoRef string) error {
 
 	// Call scorecard-webapp-api to process and upload signature.
 	// Setup HTTP request and context.
-	url := "https://api.securityscorecards.dev/verify"
+	url := fmt.Sprintf("https://api.securityscorecards.dev/projects/%s", repoName)
 	req, err := http.NewRequest("POST", url, bytes.NewBuffer(payloadBytes)) //nolint
 	if err != nil {
 		return fmt.Errorf("creating HTTP request: %w", err)
 	}
-	req.Header.Set("X-Repository", repoName)
-	req.Header.Set("X-Branch", repoRef)
 
 	ctx, cancel := context.WithTimeout(req.Context(), 10*time.Second)
 	defer cancel()