dmd import scorecard
dmd import scorecard
Import OpenSSF Security Scorecards data
Usage
scorecard
Examples
# First, retrieve the data via the `scorecard` CLI
scorecard --repo github.com/oapi-codegen/runtime --output runtime.json --format json
scorecard --repo gitlab.com/fdroid/fdroidclient --output fdroidclient.json --format json
# etc ...
# then, import it
# NOTE quotes to prevent globbing
dmd db import scorecard --db dmd.db '*.json'
Synopsis
Import the result of an OpenSSF Security Scorecards (https://securityscorecards.dev/) analysis of a repository into dependency-management-data's internal database
Similar to the insight that the dmd db generate dependency-health command provides in the dependency_health table, you can ingest pre-computed Security Scorecards reports into dependency-management-data.
This consumes the JSON report that has been output from the https://github.com/ossf/scorecard CLI, performing a lookup to https://ecosyste.ms to determine whether there are any package(s) that the repo corresponds to, and then imports it into the dependency_health table.
NOTE that this may lead to the leakage of package names to external systems, which may be seen as a privacy or security issue, but it DOES NOT currently have any ability to override the lookup. This will be possible as part of https://gitlab.com/tanna.dev/dependency-management-data/-/issues/480 but is not implemented.
Options
| Flag (type) | Usage | Notes |
|---|---|---|
-h, --help
|
help for scorecard |
|
--no-progress
|
prevent displaying progress of long-running tasks |
|
Options inherited from parent commands
| Flag (type) | Usage | Notes |
|---|---|---|
--db (string)
|
the path to the input/output database |
|
--debug
|
whether to enable debug logging |
|
Related
dmd import- Import raw data exports into a given database