support querying platform specific API capabilities in RepoClient

[spencerschrock]

Is your feature request related to a problem? Please describe.
The RepoClient interface contains shared functionality between forges. However when a feature is forge specific, it becomes difficult to query it without polluting the RepoClient interface. This makes it difficult to support issues (such as #2465) which is a GitHub specific implementation to a portion of the Security-Policy check.

scorecard/clients/repo_client.go

Lines 31 to 35 in 0b9dfb6

	// RepoClient interface is used by Scorecard checks to access a repo.
	type RepoClient interface {
	InitRepo(repo Repo, commitSHA string, commitDepth int) error
	URI() string
	IsArchived() (bool, error)

Describe the solution you'd like
There should be a way of querying platform specific values.

Other examples of features we might want to be able to query (although can't yet):

• hasVulnerabilityAlertsEnabled (GitHub link)
• default token permissions (GitHub, not an API)
• requiring approval for external contributor workflow runs (GitHub, not an API yet, link)

Describe alternatives you've considered
We could add something like ListSecurityPolicies, but that seems short sighted for this problem. There are other features we'd like to one day query, and we can't add a method for all of them.

We could also "inject" this private reporting as a file. So that we create a fake file which would be detected normally by the current Security-Policy check. This might work for this specific example, but would fail on other features.

[spencerschrock]

@raghavkaul This may be related to the Metadata() function we've discussed in the past, although it may be it's own thing.

[pnacht]

Note: default token permissions can be queried via the REST API (maybe graphQL, too?):

• Get default workflow permissions for an organization
• and for a repository

However, they require elevated permissions: organization_administration:read and administration:read, respectively...