diff --git a/Dockerfile.golang b/Dockerfile.golang new file mode 100644 index 00000000..cb72e9e6 --- /dev/null +++ b/Dockerfile.golang @@ -0,0 +1,51 @@ +# Copyright 2021 Security Scorecard Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Testing: docker run -e GITHUB_REF=refs/heads/main \ +# -e GITHUB_EVENT_NAME=branch_protection_rule \ +# -e INPUT_RESULTS_FORMAT=sarif \ +# -e INPUT_RESULTS_FILE=results.sarif \ +# -e GITHUB_WORKSPACE=/ \ +# -e INPUT_POLICY_FILE="/policy.yml" \ +# -e INPUT_REPO_TOKEN=$GITHUB_AUTH_TOKEN \ +# -e GITHUB_REPOSITORY="ossf/scorecard" \ +# laurentsimon/scorecard-action:latest + +#v1.17 go +FROM golang@sha256:bd9823cdad5700fb4abe983854488749421d5b4fc84154c30dae474100468b85 AS base +WORKDIR /src +ENV CGO_ENABLED=0 +COPY go.* ./ +RUN go mod download +COPY . ./ + +FROM base AS build +ARG TARGETOS +ARG TARGETARCH +RUN CGO_ENABLED=0 make build + +# TODO: use distroless: +# FROM gcr.io/distroless/base:nonroot@sha256:02f667185ccf78dbaaf79376b6904aea6d832638e1314387c2c2932f217ac5cb +FROM debian:11.3-slim@sha256:78fd65998de7a59a001d792fe2d3a6d2ea25b6f3f068e5c84881250373577414 + +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + # For debugging. + jq ca-certificates curl +COPY --from=build /src/scorecard-action / + +# Copy a test policy for local testing. +COPY policies/template.yml /policy.yml + +ENTRYPOINT [ "/scorecard-action" ] diff --git a/cloudbuild.yaml b/cloudbuild.yaml new file mode 100644 index 00000000..20ca8351 --- /dev/null +++ b/cloudbuild.yaml @@ -0,0 +1,21 @@ +# Copyright 2021 Security Scorecard Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +steps: +- name: 'gcr.io/cloud-builders/docker' + args: ['build', '.', + '-t', 'gcr.io/openssf/scorecard-action:latest', + '-t', 'gcr.io/openssf/scorecard-action:$COMMIT_SHA', + '-f', 'Dockerfile.golang'] +images: ['gcr.io/openssf/scorecard-action'] diff --git a/e2e/README.md b/e2e/README.md index db368d0d..b6f9dff1 100644 --- a/e2e/README.md +++ b/e2e/README.md @@ -1,29 +1,70 @@ +# What + +e2e Scorecard action tests for differences in functionality between Scorecard +action implemented in Bash and the updated version implemented using Golang. +These e2e tests will be used until the release of Scorecard Golang action after +which these tests will be modified to run regular e2e testing. + +# Setup + +For testing functionality difference between the 2 implementations, we need a +setup which can invoke these implementations through a GitHub Action on the same +repo/commitSHA. We achieve this by: + +1. The 2 implementations are built using 2 separate Dockerfiles. `./Dockerfile` + for Bash and `./Dockerfile.golang` for Golang. +2. A CloudBuild trigger uses `./cloudbuild.yaml` to continuously build and + generate the Golang Docker image. This also helps reduce run time during the + actual GitHub Action run. The generated Docker image is tagged + `scorecard-action:latest`. +3. Bash implementation at `HEAD` is invoked by referencing: `uses: + ossf/scorecard-action@main` in a GitHub workflow file. +4. The same repository invokes Golang implementation by referencing: `uses: + gcr.io/openssf/scorecard-action:latest` +5. The artifact (SARIF file) produced by these 2 implementations are diff-ed to + verify functional similarity. This step is not yet automated and is largely + manual. + # e2e tests -The `e2e` tests for the action is run by running the action every day on a cron for different use cases. The action that run points to `@main` which helps in catching issues sooner. +The `e2e` tests for the action is run by running the action every day on a cron +for different use cases. The action that run points to `@main` which helps in +catching issues sooner. -If these actions fails to run these actions would create an issue in the repository using https://github.com/naveensrinivasan/Create-GitHub-Issue +If these actions fails to run these actions would create an issue in the +repository using https://github.com/naveensrinivasan/Create-GitHub-Issue The actions primarily run out of https://github.com/ossf-tests organization. ## Status -| Testcase | Repository | Status. | -| -------- | -------- | -------- | -| Fork | https://github.com/ossf-tests/scorecard-action | [![Fork](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards.yml/badge.svg)](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards.yml) | -| Non-main-branch | https://github.com/ossf-tests/scorecard-action-non-main-branch | [![non-main-branch](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-analysis.yml/badge.svg?branch=other)](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-analysis.yml) | -|Private repository|https://github.com/test-organization-ls/scorecard-action-private-repo-tests| [![Scorecards supply-chain security](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecard.yml/badge.svg)](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecard.yml) | - -| Fork-golang-staging | https://github.com/ossf-tests/scorecard-action |[![Scorecards supply-chain security](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards-golang.yml/badge.svg)](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards-golang.yml) -| Non-main-branch-golang-staging | https://github.com/ossf-tests/scorecard-action-non-main-branch | [![Scorecards supply-chain security golang](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-golang.yml/badge.svg)](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-golang.yml) -|Private repository-golang-staging|https://github.com/test-organization-ls/scorecard-action-private-repo-tests|[![Scorecards supply-chain security golang](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecards-golang.yml/badge.svg)](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecards-golang.yml) +Testcase | Repository | Status. +------------------ | --------------------------------------------------------------------------- | ------- +Fork | https://github.com/ossf-tests/scorecard-action | [![Fork](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards.yml/badge.svg)](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards.yml) +Non-main-branch | https://github.com/ossf-tests/scorecard-action-non-main-branch | [![non-main-branch](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-analysis.yml/badge.svg?branch=other)](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-analysis.yml) +Private repository | https://github.com/test-organization-ls/scorecard-action-private-repo-tests | [![Scorecards supply-chain security](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecard.yml/badge.svg)](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecard.yml) +| Fork-golang-staging | https://github.com/ossf-tests/scorecard-action +|[![Scorecards supply-chain security](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards-golang.yml/badge.svg)](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards-golang.yml) +| Non-main-branch-golang-staging | +https://github.com/ossf-tests/scorecard-action-non-main-branch | +[![Scorecards supply-chain security golang](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-golang.yml/badge.svg)](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-golang.yml) +|Private +repository-golang-staging|https://github.com/test-organization-ls/scorecard-action-private-repo-tests|[![Scorecards supply-chain security golang](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecards-golang.yml/badge.svg)](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecards-golang.yml) ## Diff between golang-staging branch and main -- Here is the sarif results diff between main and golang-staging. There are few text diffs https://github.com/ossf-tests/scorecard-action-results/pull/1/files. The PR is for golang run results. The `main` branch has the `scorecard-action` `main` branch run results. +- Here is the sarif results diff between main and golang-staging. There are + few text diffs + https://github.com/ossf-tests/scorecard-action-results/pull/1/files. The PR + is for golang run results. The `main` branch has the `scorecard-action` + `main` branch run results. ## Steps to add a new test case -1. Create a new repository in the `ossf-tests` organization -2. Clone this workflow https://github.com/ossf-tests/scorecard-action-non-main-branch/blob/other/.github/workflows/scorecard-analysis.yml which has the steps to create an issue if the action fails to run. If the action fails it should create an issue like this https://github.com/ossf/scorecard-action/issues/147 +1. Create a new repository in the `ossf-tests` organization +2. Clone this workflow + https://github.com/ossf-tests/scorecard-action-non-main-branch/blob/other/.github/workflows/scorecard-analysis.yml + which has the steps to create an issue if the action fails to run. If the + action fails it should create an issue like this + https://github.com/ossf/scorecard-action/issues/147 diff --git a/main.go b/main.go index 9cb6b59d..ef633464 100644 --- a/main.go +++ b/main.go @@ -48,7 +48,8 @@ func main() { // Processes json results. repoName := os.Getenv(options.EnvGithubRepository) repoRef := os.Getenv(options.EnvGithubRef) - if err := signing.ProcessSignature(jsonPayload, repoName, repoRef); err != nil { + accessToken := os.Getenv(options.EnvInputRepoToken) + if err := signing.ProcessSignature(jsonPayload, repoName, repoRef, accessToken); err != nil { log.Fatalf("error processing signature: %v", err) } } diff --git a/signing/signing.go b/signing/signing.go index feca6b10..f76c56c3 100644 --- a/signing/signing.go +++ b/signing/signing.go @@ -24,6 +24,7 @@ import ( "io" "io/ioutil" "net/http" + "net/url" "os" "time" @@ -86,12 +87,17 @@ func GetJSONScorecardResults() ([]byte, error) { } // ProcessSignature calls scorecard-api to process & upload signed scorecard results. -func ProcessSignature(jsonPayload []byte, repoName, repoRef string) error { +func ProcessSignature(jsonPayload []byte, repoName, repoRef, accessToken string) error { // Prepare HTTP request body for scorecard-webapp-api call. + // TODO: Use the `ScorecardResult` struct from `scorecard-webapp`. resultsPayload := struct { - JSONOutput string + Result string `json:"result"` + Branch string `json:"branch"` + AccessToken string `json:"accessToken"` }{ - JSONOutput: string(jsonPayload), + Result: string(jsonPayload), + Branch: repoRef, + AccessToken: accessToken, } payloadBytes, err := json.Marshal(resultsPayload) @@ -101,13 +107,15 @@ func ProcessSignature(jsonPayload []byte, repoName, repoRef string) error { // Call scorecard-webapp-api to process and upload signature. // Setup HTTP request and context. - url := "https://api.securityscorecards.dev/verify" - req, err := http.NewRequest("POST", url, bytes.NewBuffer(payloadBytes)) //nolint + rawURL := fmt.Sprintf("https://api.securityscorecards.dev/projects/github.com/%s", repoName) + parsedURL, err := url.Parse(rawURL) + if err != nil { + return fmt.Errorf("parsing Scorecard API endpoint: %w", err) + } + req, err := http.NewRequest("POST", parsedURL.String(), bytes.NewBuffer(payloadBytes)) //nolint if err != nil { return fmt.Errorf("creating HTTP request: %w", err) } - req.Header.Set("X-Repository", repoName) - req.Header.Set("X-Branch", repoRef) ctx, cancel := context.WithTimeout(req.Context(), 10*time.Second) defer cancel() @@ -121,7 +129,7 @@ func ProcessSignature(jsonPayload []byte, repoName, repoRef string) error { } defer resp.Body.Close() - if resp.StatusCode != 200 { + if resp.StatusCode != http.StatusCreated { bodyBytes, err := io.ReadAll(resp.Body) if err != nil { return fmt.Errorf("reading response body: %w", err) diff --git a/signing/signing_test.go b/signing/signing_test.go index b885f6c3..1f4b3d41 100644 --- a/signing/signing_test.go +++ b/signing/signing_test.go @@ -77,14 +77,15 @@ func Test_ProcessSignature(t *testing.T) { t.Parallel() jsonPayload, err := ioutil.ReadFile("testdata/results.json") - repoName := "rohankh532/scorecard-OIDC-test" + repoName := "ossf-tests/scorecard-action" repoRef := "refs/heads/main" + accessToken := "" if err != nil { t.Errorf("Error reading testdata:, %v", err) } - if err := ProcessSignature(jsonPayload, repoName, repoRef); err != nil { + if err := ProcessSignature(jsonPayload, repoName, repoRef, accessToken); err != nil { t.Errorf("ProcessSignature() error:, %v", err) return } diff --git a/signing/testdata/results.json b/signing/testdata/results.json index a986a1a6..3bd866ee 100644 --- a/signing/testdata/results.json +++ b/signing/testdata/results.json @@ -1 +1 @@ -{"date":"2022-03-21","repo":{"name":"github.com/rohankh532/scorecard-OIDC-test","commit":"80ec5079f66133cb6cefb09aad9b4565456b7f70"},"scorecard":{"version":"unknown","commit":"unknown"},"score":5.0,"checks":[{"details":null,"score":10,"reason":"no binaries found in the repo","name":"Binary-Artifacts","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts","short":"Determines if the project has generated executable (binary) artifacts in the source repository."}},{"details":null,"score":0,"reason":"branch protection not enabled on development/release branches","name":"Branch-Protection","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection","short":"Determines if the default and release branches are protected with GitHub's branch protection settings."}},{"details":null,"score":-1,"reason":"no pull request found","name":"CI-Tests","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests","short":"Determines if the project runs tests before pull requests are merged."}},{"details":null,"score":0,"reason":"no badge detected","name":"CII-Best-Practices","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices","short":"Determines if the project has a CII Best Practices Badge."}},{"details":null,"score":0,"reason":"no reviews found","name":"Code-Review","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review","short":"Determines if the project requires code review before pull requests (aka merge requests) are merged."}},{"details":null,"score":3,"reason":"1 different companies found -- score normalized to 3","name":"Contributors","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors","short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies)."}},{"details":null,"score":10,"reason":"no dangerous workflow patterns detected","name":"Dangerous-Workflow","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow","short":"Determines if the project's GitHub Action workflows avoid dangerous patterns."}},{"details":null,"score":0,"reason":"no update tool detected","name":"Dependency-Update-Tool","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool","short":"Determines if the project uses a dependency update tool."}},{"details":null,"score":0,"reason":"project is not fuzzed","name":"Fuzzing","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing","short":"Determines if the project uses fuzzing."}},{"details":null,"score":0,"reason":"license file not detected","name":"License","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#license","short":"Determines if the project has defined a license."}},{"details":null,"score":10,"reason":"30 commit(s) out of 30 and 0 issue activity out of 0 found in the last 90 days -- score normalized to 10","name":"Maintained","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained","short":"Determines if the project is \"actively maintained\"."}},{"details":null,"score":-1,"reason":"no published package detected","name":"Packaging","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging","short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."}},{"details":null,"score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","name":"Pinned-Dependencies","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies","short":"Determines if the project has declared and pinned its dependencies."}},{"details":null,"score":0,"reason":"no SAST tool detected","name":"SAST","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast","short":"Determines if the project uses static code analysis."}},{"details":null,"score":0,"reason":"security policy file not detected","name":"Security-Policy","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy","short":"Determines if the project has published a security policy."}},{"details":null,"score":-1,"reason":"no releases found","name":"Signed-Releases","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases","short":"Determines if the project cryptographically signs release artifacts."}},{"details":null,"score":10,"reason":"tokens are read-only in GitHub workflows","name":"Token-Permissions","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions","short":"Determines if the project's workflows follow the principle of least privilege."}},{"details":null,"score":10,"reason":"no vulnerabilities detected","name":"Vulnerabilities","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities","short":"Determines if the project has open, known unfixed vulnerabilities."}}],"metadata":null} +{"date":"2022-06-01","repo":{"name":"github.com/ossf-tests/scorecard-action","commit":"ce7443af32a20ce3e55d18da9ae434364f04b450"},"scorecard":{"version":"unknown","commit":"unknown"},"score":5.8,"checks":[{"details":null,"score":10,"reason":"no binaries found in the repo","name":"Binary-Artifacts","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts","short":"Determines if the project has generated executable (binary) artifacts in the source repository."}},{"details":null,"score":0,"reason":"branch protection not enabled on development/release branches","name":"Branch-Protection","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection","short":"Determines if the default and release branches are protected with GitHub's branch protection settings."}},{"details":null,"score":10,"reason":"1 out of 1 merged PRs checked by a CI test -- score normalized to 10","name":"CI-Tests","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests","short":"Determines if the project runs tests before pull requests are merged."}},{"details":null,"score":0,"reason":"no badge detected","name":"CII-Best-Practices","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices","short":"Determines if the project has a CII Best Practices Badge."}},{"details":null,"score":0,"reason":"GitHub code reviews found for 1 commits out of the last 30 -- score normalized to 0","name":"Code-Review","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review","short":"Determines if the project requires code review before pull requests (aka merge requests) are merged."}},{"details":null,"score":10,"reason":"5 different companies found -- score normalized to 10","name":"Contributors","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors","short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies)."}},{"details":null,"score":10,"reason":"no dangerous workflow patterns detected","name":"Dangerous-Workflow","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow","short":"Determines if the project's GitHub Action workflows avoid dangerous patterns."}},{"details":null,"score":10,"reason":"update tool detected","name":"Dependency-Update-Tool","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool","short":"Determines if the project uses a dependency update tool."}},{"details":null,"score":0,"reason":"project is not fuzzed","name":"Fuzzing","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing","short":"Determines if the project uses fuzzing."}},{"details":null,"score":0,"reason":"license file not detected","name":"License","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#license","short":"Determines if the project has defined a license."}},{"details":null,"score":10,"reason":"30 commit(s) out of 30 and 0 issue activity out of 0 found in the last 90 days -- score normalized to 10","name":"Maintained","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained","short":"Determines if the project is \"actively maintained\"."}},{"details":null,"score":-1,"reason":"no published package detected","name":"Packaging","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging","short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."}},{"details":null,"score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","name":"Pinned-Dependencies","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies","short":"Determines if the project has declared and pinned its dependencies."}},{"details":null,"score":10,"reason":"SAST tool is run on all commits","name":"SAST","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast","short":"Determines if the project uses static code analysis."}},{"details":null,"score":0,"reason":"security policy file not detected","name":"Security-Policy","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy","short":"Determines if the project has published a security policy."}},{"details":null,"score":-1,"reason":"no releases found","name":"Signed-Releases","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases","short":"Determines if the project cryptographically signs release artifacts."}},{"details":null,"score":0,"reason":"non read-only tokens detected in GitHub workflows","name":"Token-Permissions","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions","short":"Determines if the project's workflows follow the principle of least privilege."}},{"details":null,"score":10,"reason":"no vulnerabilities detected","name":"Vulnerabilities","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities","short":"Determines if the project has open, known unfixed vulnerabilities."}},{"details":null,"score":-1,"reason":"check is not supported for this request: SCORECARD_V6 is not set, not running the Webhook check","name":"Webhooks","documentation":{"url":"https://github.com/ossf/scorecard/blob/main/docs/checks.md#webhooks","short":"This check validate if the webhook defined in the repository have a token configured."}}],"metadata":null}