cli
cli copied to clipboard
Implement OpenSSF scorecard
The idea is to implement the scorecard by the Open Source Security Foundation (OpenSSF).
We can take inspiration on the tool deps.dev who already have an implementation:
Those data are available online and fetchable by REST API. I think we should implement this like Bundlephobia API (by exposing an API on the HTTP Server to avoid cross domain issues).
The question that remains is where in the interface should we place this information?
Well received.
We now have a back-end SDK to consume the OpenSSF API: https://github.com/NodeSecure/ossf-scorecard-sdk. So the overall idea is to:
- Add an API on the CLI http server and use the SDK to fetch the Scorecard result.
- Add UI in the left menu (and load data on the http server when we select a package).
For the UI my idea is to add a little menu/info where I draw a red line:
We can move step by step with a first version that only show the score. Then later we can code the complete UI to show all checks details (like deps.dev).