Finds OpenSSF Scorecard scores for packages in a Software Bill of Materials.
Generate an SBOM in CycloneDX JSON format and then scan it with tally.
This uses the public scorecard API to fetch the latest score for each repository.
$ syft prom/prometheus -o cyclonedx-json > bom.json
$ tally bom.json
REPOSITORY SCORE
github.com/googleapis/google-cloud-go 9.3
github.com/imdario/mergo 9.1
github.com/googleapis/gax-go 8.9
github.com/kubernetes/api 8.2
github.com/azure/go-autorest 8.0
github.com/googleapis/go-genproto 7.9
...
You could also pipe the BOM directly to tally:
$ syft prom/prometheus -o cyclonedx-json | tally -
The public API may not have a score for every discovered repository but tally
can generate these scores itself when the -g/--generate flag is
set.
Scores are generated from the HEAD of the repository.
This requires that the GITHUB_TOKEN environment variable is set to a valid
token.
$ export GITHUB_TOKEN=<token>
$ tally -g bom.json
Generating score for 'github.com/foo/bar' [--------->..] 68/72
This may take a while, depending on the number of missing scores.
If you'd like to generate all the scores yourself, you can disable fetching
scores from the API with --api=false.
To speed up subsequent runs, tally will cache scorecard results to a local
database. You can disable the cache with --cache=false.
By default, tally will ignore results that were cached more than 7 days ago.
This window can be changed with the --cache-duration flag:
tally --cache-duration=20m bom.json
The cache is stored in the user's home cache directory, which is commonly
located in ~/.cache/tally/cache/. This can be changed with the --cache-dir
flag.
The return code will be set to 1 when a score is identified that is less than
or equal to the value of --fail-on:
$ tally --fail-on 3.5 bom.json
...
Error: found scores <= to 3.50
exit status 1
This will not consider packages tally has not been able to retrieve a score
for.
The -o/--output flag can be used to modify the output format.
By default, tally will output each unique repository and its score:
REPOSITORY SCORE
github.com/googleapis/google-cloud-go 9.3
The wide output format will print additional package information:
TYPE PACKAGE REPOSITORY SCORE
golang cloud.google.com/go/compute github.com/googleapis/google-cloud-go 9.3
The json output will print the full report in JSON format:
$ tally -o json bom.json | jq -r .
{
"results": [
{
"repository": "github.com/googleapis/google-http-java-client",
"packages" : [
{
"type": "maven",
"name": "com.google.http-client/google-http-client-jackson2"
}
],
"result": {
"date": "2023-03-04",
"repo": {
"name": "github.com/googleapis/google-http-java-client",
"commit": "4e889b702b8bbfb082b7a3234569dc173c1c286d"
},
"scorecard": {
"version": "v4.8.0",
"commit": "c40859202d739b31fd060ac5b30d17326cd74275"
},
"score": 7,
"checks": [
...
]
}
},
...
]
}
Not all packages will have a Scorecard score.
By default, tally will remove results without a score from the output when
using -o short or -o wide.
You can include all results, regardless of whether they have a score or not, by
specifying the -a/--all flag.
Specify the format of the target SBOM with the -f/--format flag.
The supported SBOM formats are:
cyclonedx-jsoncyclonedx-xmlsyft-json