Skip to content

Instantly share code, notes, and snippets.

@eddie-knight

eddie-knight/CLODevWorkflow.md

Last active October 7, 2022 20:29
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
CNCF Security Slam
Raw
CLODevWorkflow.md

CLOMonitor Development Workflow

CLOMonitor.io is a great dashboard for checking your project's progress. It reruns once an hour if repository changes are detected.

How is your CNCF project is configured for CLOMonitor.io?

If you would like to review or modify the checks that are being made for your project, check out the CNCF configuration file for CLOMonitor.io: https://github.com/cncf/clomonitor/blob/main/data/cncf.yaml

This YAML file will specify which projects are checked, which repos are considered as part of each project, and which subset of checks are executed for each repo.

If you would like realtime checks while working, it is recommended that you take one of the following options.

Local Installation of the CLOMonitor Web Service

This option is detailed exhaustively in the documentation for CLOMonitor, which can be found on the website here or the project repo here. This process may require a bit of effort, but will give you a complete CLOMonitor web service locally that is identical to the web platform that runs scheduled checks.

Dockerized Local Execution of CLOMonitor

This is probably the best option, though it took me a bit of prodding before I wasn't missing any details. I included instructions to get it running quickly in clomonitor-dockerized-local.md on this gist.

Dockerized CI Execution of CLOMonitor

This can be helpful once you've gotten far enough to add automated checks.

I've included github-clomonitor-ci.yml below as reference for this.

Execute CLOMonitor using Lift

There are some definite shortcomings to this option, but it was by far the easiest option for me to turn on.

Lift is an incubating project that is free on public GitHub repos. By enabling CLOMonitor on Lift, you can quickly see a simplified view of your results either on demand or on pull request creation. It may be also enabled on a fork if you are not ready to integrate it to your primary repo.

Detailed notes are in another file on this gist.

Raw
cloio-website-notes.md

Notes on CLOMonitor.io

  1. CLOMonitor.io scans all of it's target projects every hour
  2. Target projects are comprised of one or more repositories
  3. A list of projects and the associated repositories for CNCF can be seen here
  4. At least one repository on the project should have code scans
  5. At least one repository on the project should have community scans
  6. code-lite can be used on secondary repositories that need to follow best practices, but are not held to the same security standards
  7. Most projects already have their repo type set in the CLOMonitor.io configuration, you just need to check and see what standards each repo is being held to
  8. Exemptions are tolerated so long as a justification is included. See example here: https://github.com/cncf/clomonitor/blob/main/docs/metadata/.clomonitor.yml

FOR THE CNCF SECURITY SLAM

  • Only the "security" checks need to get to 100%

image

Let me know if you have more helpful notes to drop on here!

Raw
clomonitor-dockerized-local.md

Local Dockerized Execution of CLOMonitor

This is the way.

Walkthrough

1. Create your GitHub API personal access token

The token should have public_repo scope.

  1. < > Developer Settings
  2. Personal Access Tokens
  3. Generate a new token
  4. Give it a name and a finite expiration date
  5. Check the box for "public_repo" scope (and nothing else)
  6. Generate Token
  7. Add the token to an environment variable file to pass to your docker container (I keep mine in ~/dev)
# ~/dev/env.list
GITHUB_TOKEN=<mytoken>

2. Run the CLOMonitor image

Run it, and mount the directory you wish to scan. Add winpty to the beginning if you're using a terminal is not a TTY (specifically, if you get an error message saying this).

$ docker run -it --env-file ~/dev/env.list --mount type=bind,source="$(pwd)",target=/myapp public.ecr.aws/clomonitor/linter:latest
~ $ clomonitor-linter --help
Output (click to expand) 
clomonitor-linter 0.7.0
Checks repository to verify it meets certain project health best practices

The CLOMonitor linter runs some checks on the repository provided and produces
a report with the result. Some of the checks are done locally using the path
provided and some remotely as they rely on external APIs. Only GitHub repos
are supported at the moment. For more information about the checks, please see
https://clomonitor.io/docs/topics/checks/. The exit code will be 0 if the
linter runs successfully and the score is equal or higher than the pass score
provided, or non-zero otherwise.

This tool uses the Github GraphQL API for some checks, which requires
authentication. Please make sure you provide a Github token (with public_repo
scope) by setting the GITHUB_TOKEN environment variable.

USAGE:
    clomonitor-linter [OPTIONS] --path <PATH> --url <URL>

OPTIONS:
        --check-set <CHECK_SET>      Sets of checks to run [default: code community] [possible
                                     values: code, code-lite, community, docs]
        --format <FORMAT>            Output format [default: table] [possible values: json, table]
    -h, --help                       Print help information
        --pass-score <PASS_SCORE>    Linter pass score [default: 75]
        --path <PATH>                Repository local path (used for checks that can be done
                                     locally)
        --url <URL>                  Repository url [https://github.com/org/repo] (used for some
                                     GitHub remote checks)
    -V, --version                    Print version information

3. Profit

~ $ clomonitor-linter --path /myapp --url https://github.com/FINOS/compliant-financial-infrastructure
Output (click to expand) 
CLOMonitor linter results

Repository information

╭────────────┬─────────────────────────────────────────────────────────────╮
│ Local path ┆ /myapp                                                      │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Remote url ┆ https://github.com/FINOS/compliant-financial-infrastructure │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Check sets ┆ [Code, Community]                                           │
╰────────────┴─────────────────────────────────────────────────────────────╯

Score summary

╭────────────────┬───────╮
│     Section    ┆ Score │
╞════════════════╪═══════╡
│ Global         ┆   48  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌┤
│ Documentation  ┆   53  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌┤
│ License        ┆   75  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌┤
│ Best practices ┆   25  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌┤
│ Security       ┆   50  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌┤
│ Legal          ┆   0   │
╰────────────────┴───────╯

Checks summary

╭──────────────────────────────────────┬────────────╮
│                 Check                ┆   Passed   │
╞══════════════════════════════════════╪════════════╡
│ Documentation / Adopters             ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Changelog            ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Code of conduct      ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Contributing         ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Governance           ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Maintainers          ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Readme               ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Roadmap              ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Website              ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ License                              ┆ Apache-2.0 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ License / Approved                   ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ License / Scanning                   ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / Analytics           ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / Artifact Hub badge  ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / CLA                 ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / Community meeting   ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / DCO                 ┆   Exempt   │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / GitHub discussions  ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / OpenSSF (CII) badge ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / Recent release      ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / Slack presence      ┆   Exempt   │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Binary artifacts          ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Code review               ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Dangerous workflow        ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Dependency update tool    ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Maintained                ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / SBOM                      ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Security policy           ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Signed release            ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Token permissions         ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Legal / Trademark disclaimer         ┆      ✗     │
╰──────────────────────────────────────┴────────────╯

✗ Failed with a global score of 48 (pass score is 75)

Optional: Specify your check set

Since your project is likely comprised of multiple repos, you probably won't want to run every check on every repo.

Use --check-set to limit which tests are run. You can specify multiple options by passing the flag multiple times.

~ $ clomonitor-linter --path /myapp --check-set community --check-set code-lite --url https://github.com/FINOS/compliant-financial-infrastructure
Output (click to expand) 
CLOMonitor linter results

Repository information

╭────────────┬─────────────────────────────────────────────────────────────╮
│ Local path ┆ /myapp                                                      │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Remote url ┆ https://github.com/FINOS/compliant-financial-infrastructure │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Check sets ┆ [Community, CodeLite]                                       │
╰────────────┴─────────────────────────────────────────────────────────────╯

Score summary

╭────────────────┬───────╮
│     Section    ┆ Score │
╞════════════════╪═══════╡
│ Global         ┆   59  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌┤
│ Documentation  ┆   55  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌┤
│ License        ┆  100  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌┤
│ Best practices ┆   56  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌┤
│ Security       ┆   0   │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌┤
│ Legal          ┆   0   │
╰────────────────┴───────╯

Checks summary

╭──────────────────────────────────────┬────────────╮
│                 Check                ┆   Passed   │
╞══════════════════════════════════════╪════════════╡
│ Documentation / Adopters             ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Changelog            ┆     n/a    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Code of conduct      ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Contributing         ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Governance           ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Maintainers          ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Readme               ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Roadmap              ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Website              ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ License                              ┆ Apache-2.0 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ License / Approved                   ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ License / Scanning                   ┆     n/a    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / Analytics           ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / Artifact Hub badge  ┆     n/a    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / CLA                 ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / Community meeting   ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / DCO                 ┆   Exempt   │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / GitHub discussions  ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / OpenSSF (CII) badge ┆     n/a    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / Recent release      ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / Slack presence      ┆   Exempt   │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Binary artifacts          ┆     n/a    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Code review               ┆     n/a    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Dangerous workflow        ┆     n/a    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Dependency update tool    ┆     n/a    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Maintained                ┆     n/a    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / SBOM                      ┆     n/a    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Security policy           ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Signed release            ┆     n/a    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Token permissions         ┆     n/a    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Legal / Trademark disclaimer         ┆      ✗     │
╰──────────────────────────────────────┴────────────╯

✗ Failed with a global score of 59 (pass score is 75)
Raw
github-clomonitor-ci.yml
# .github/workflows/clomonitor.yml
name: CI
on: [push, pull_request]
permissions: read-all
jobs:
linter-clomonitor:
runs-on: ubuntu-20.04
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
container:
image: public.ecr.aws/clomonitor/linter:latest
options: --user root
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run CloMonitor linter
run: clomonitor-linter --path . --url https://github.com/artifacthub/hub
Raw
lift-clomonitor.md

Using CLOMonitor via Lift

  1. Enable Lift to run on your project’s repository following the docs here.
  2. Create a .lift.toml file in your projects root directory with the following to enable on demand CLOMonitor scans:
customTools=["/extra-tools/clomonitor.sh"]
  1. If you would like to disable all of Lift’s default build, linting, and CVE scans in order to expedite this CLOMonitor scan, add the following line as well:
tools=[]
  1. Select your repository on the Lift dashboard
  2. choose the appropriate branch from the drop down
  3. Press the “Analyze” button to run the scans configured for your project.

A final note on using Lift

Running all the checks is easy, but I lost some time trying to do select check-sets. I was able to get specific checks working with the help of @theresa-m -- I've added her configuration file to this gist with some bonus inline commentary. The final obstacle we faced was with tabs... double check that you don't allow any tabs in the config file or it may crash silently.

Raw
LiftConfigFile.md

Running a specific check set on Lift

I didn't load the raw file because it made this gist cumbersome, but you can copy the following contents into your config file and adjust them as needed.

Unfortunately this will need to be run as two separate tests if your repo uses two different check sets.

.lift.toml (click to expand) 
customTools=["/extra-tools/clomonitor.sh"] # enable CLOMonitor scanning
tools=[] # do not include any other scanning tools

########################################################################################
### Uncomment the appropriate set of ignoreRules to enable specific CLOMonitor check sets
### See https://github.com/cncf/clomonitor/blob/main/docs/checks.md for more details.
### Templates included here:
### - code
### - code-lite
### - community
### - docs
### - code+community (a common combination)
### - all tests (for name references)
########################################################################################

### code (recommended for projects’ primary code repository)
# ignoreRules = [
# "Documentation: Adopters",
# "Documentation: Code Of Conduct",
# "Documentation: Governance",
# "Documentation: Roadmap",
# "Documentation: Website",
# "Best Practices: Analytics",
# "Best Practices: Community Meeting",
# "Best Practices: Github Discussions",
# "Best Practices: Slack Presence",
# "Security: Branch Protection",
# "Legal: Trademark Disclaimer"
# ]

### code-lite (subset of code, recommended for secondary code repositories)
# ignoreRules = [
# "Documentation: Adopters",
# "Documentation: Changelog",
# "Documentation: Code Of Conduct",
# "Documentation: Governance",
# "Documentation: Roadmap",
# "Documentation: Website",
# "License: License Scanning",
# "Best Practices: Analytics",
# "Best Practices: Artifacthub Badge",
# "Best Practices: Community Meeting",
# "Best Practices: Github Discussions",
# "Best Practices: Openssf Badge",
# "Best Practices: Slack Presence",
# "Security: binary artifacts",
# "Security: Code Review",
# "Security: dangerous workflow",
# "Security: Dependency Update Tool",
# "Security: Maintained",
# "Security: Sbom",
# "Security: Security Policy",
# "Security: Signed Releases",
# "Security: token permissions",
# "Security: Branch Protection",
# "Legal: Trademark Disclaimer"
# ]

### community (recommended for repositories with community content)
# ignoreRules = [
# "Documentation: Changelog",
# "Documentation: Maintainers",
# "Documentation: Roadmap",
# "License: License Spdx Id",
# "License: License Approved",
# "License: License Scanning",
# "Best Practices: Artifacthub Badge",
# "Best Practices: Cla",
# "Best Practices: Dco",
# "Best Practices: Openssf Badge",
# "Best Practices: Recent Release",
# "Security: binary artifacts",
# "Security: Code Review",
# "Security: dangerous workflow",
# "Security: Dependency Update Tool",
# "Security: Maintained",
# "Security: Sbom",
# "Security: Signed Releases",
# "Security: token permissions",
# "Security: Branch Protection"
# ]

### docs (recommended for other documentation repositories)
# ignoreRules = [
# "Documentation: Adopters",
# "Documentation: Changelog",
# "Documentation: Code Of Conduct",
# "Documentation: Contributing",
# "Documentation: Governance",
# "Documentation: Maintainers",
# "Documentation: Roadmap",
# "Documentation: Website",
# "License: License Scanning",
# "Best Practices: Analytics",
# "Best Practices: Artifacthub Badge",
# "Best Practices: Cla",
# "Best Practices: Community Meeting",
# "Best Practices: Dco",
# "Best Practices: Github Discussions",
# "Best Practices: Openssf Badge",
# "Best Practices: Recent Release",
# "Best Practices: Slack Presence",
# "Security: binary artifacts",
# "Security: Code Review",
# "Security: dangerous workflow",
# "Security: Dependency Update Tool",
# "Security: Maintained",
# "Security: Sbom",
# "Security: Security Policy",
# "Security: Signed Releases",
# "Security: token permissions",
# "Security: Branch Protection",
# "Legal: Trademark Disclaimer"
# ]

### code+community
# ignoreRules = [
# "Security: Branch Protection",
# ]

### All tests
### Ignore all tests
# ignoreRules = [
# "Documentation: Adopters",
# "Documentation: Changelog",
# "Documentation: Code Of Conduct",
# "Documentation: Contributing",
# "Documentation: Governance",
# "Documentation: Maintainers",
# "Documentation: readme",
# "Documentation: Roadmap",
# "Documentation: Website",
# "License: License Spdx Id",
# "License: License Approved",
# "License: License Scanning",
# "Best Practices: Analytics",
# "Best Practices: Artifacthub Badge",
# "Best Practices: Cla",
# "Best Practices: Community Meeting",
# "Best Practices: Dco",
# "Best Practices: Github Discussions",
# "Best Practices: Openssf Badge",
# "Best Practices: Recent Release",
# "Best Practices: Slack Presence",
# "Security: binary artifacts",
# "Security: Code Review",
# "Security: dangerous workflow",
# "Security: Dependency Update Tool",
# "Security: Maintained",
# "Security: Sbom",
# "Security: Security Policy",
# "Security: Signed Releases",
# "Security: token permissions",
# "Security: Branch Protection",
# "Legal: Trademark Disclaimer"
# ]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment