dmd import scorecard

dmd import scorecard

Import OpenSSF Security Scorecards data




# First, retrieve the data via the `scorecard` CLI
scorecard --repo --output runtime.json      --format json
scorecard --repo  --output fdroidclient.json --format json
# etc ...
# then, import it
# NOTE quotes to prevent globbing
dmd db import scorecard --db dmd.db '*.json'


Import the result of an OpenSSF Security Scorecards ( analysis of a repository into dependency-management-data's internal database

Similar to the insight that the dmd db generate dependency-health command provides in the dependency_health table, you can ingest pre-computed Security Scorecards reports into dependency-management-data.

This consumes the JSON report that has been output from the CLI, performing a lookup to to determine whether there are any package(s) that the repo corresponds to, and then imports it into the dependency_health table.

NOTE that this may lead to the leakage of package names to external systems, which may be seen as a privacy or security issue, but it DOES NOT currently have any ability to override the lookup. This will be possible as part of but is not implemented.


Flag (type) Usage Notes
-h, --help help for scorecard
--no-progress prevent displaying progress of long-running tasks

Options inherited from parent commands

Flag (type) Usage Notes
--db (string) the path to the input/output database
--debug whether to enable debug logging