scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

Question: Is scorecard supposed to work with private github repositories?

Open godofredoc opened this issue 2 years ago • 7 comments

Describe the bug I added the scorecards workflow to a private repository but it is failing with a repo unreachable error.

Reproduction steps Steps to reproduce the behavior:

  1. Run scorecards in a private repository

Expected behavior I was expecting scorecards to call the apis using the readonly token and the apis to succeed but unauthenticated request and sent instead failing to find the private repo.

Additional context

godofredoc avatar Jun 26 '23 23:06 godofredoc

Hi @godofredoc! When using Scorecard workflow in a private repo you need to do some changes in the workflow. These changes are commented in the workflow itself, but resuming they are:

  • Uncomment the analysis job permissions to grant access to contents: read and actions: read to the repository
  • Create a PAT token and provide it in Run analysis step in the field repo_token. To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.

Are you already doing this?

gabibguti avatar Jul 12 '23 19:07 gabibguti

Thank you @gabibguti for the details. No, we reused the configurations from some of our public repositories. I'll update the config and report back the results.

godofredoc avatar Aug 17 '23 01:08 godofredoc

I think I know what the issue is:

RequestError [HttpError]: Advanced Security must be enabled for this repository to use code scanning.

Seems like scorecards need "Advanced Security" enabled for private repos.

godofredoc avatar Aug 17 '23 03:08 godofredoc

This is the api returning 403:

   url: 'https://api.github.com/repos/flutter/<repo>/code-scanning/analysis/status',
    status: 403,

godofredoc avatar Aug 17 '23 03:08 godofredoc

Seems like scorecards need "Advanced Security" enabled for private repos.

It's due to the SARIF upload step.

Code scanning is available for all public repositories on GitHub.com. Code scanning is also available for private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security

Enterprises without Advanced Security will need to remove the upload step from the workflow. Of course the question becomes, how do you visualize results now? Perhaps upload the results.json file as an artifact if you have some other action consume it?

When using Scorecard workflow in a private repo you need to do some changes in the workflow. These changes are commented in the workflow itself

It might be good for us to confirm all the needed permissions in a test repo using GitHub's new permission advisor tool.

spencerschrock avatar Aug 18 '23 17:08 spencerschrock

Worth looking into how it's documented broadly in the project (could lift from Scorecard Action repo)

lasomethingsomething avatar Apr 04 '24 20:04 lasomethingsomething

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Jul 12 '24 01:07 github-actions[bot]