✨ Add multi-repo scanning: --repos, --org

[gabrielsoltz]

What kind of change does this PR introduce?

This PR introduces support for scanning multiple repositories in a single invocation, while preserving existing behavior by default. The only user-visible change for single-repo usage is a small improvement to the “Starting/Finished” banners (they now include the repo label).

New flags

• --repos: comma-separated list of repositories to scan (e.g., --repos=owner1/repo1,github.com/owner2/repo2).
• --org: GitHub organization handle (e.g., --org=github.com/ossf or ossf).

Precedence when multiple inputs are provided: --repos ➜ --org ➜ --local ➜ --repo (or repo resolved from package managers).

UX / output changes

Before (single repo):

Starting [License]
Starting [Code-Review]
...
Finished [License]
Finished [Code-Review]
...

Now (single or multi-repo):

Starting (owner/repo) [License]
Starting (owner/repo) [Code-Review]
...
Finished (owner/repo) [License]
Finished (owner/repo) [Code-Review]
...

This makes it obvious which repo each check belongs to—especially important when scanning many repos.

Implementation details

• Introduce buildRepoURLs(ctx, *options.Options) ([]string, error):
• Normalizes the input universe and always returns a slice of repo URIs.
• Honors precedence --repos ➜ --org ➜ --local ➜ single --repo/pkg-manager.
• Refactor rootCmd to iterate over the returned list and run the same scan pipeline for each repo.
• ListOrgRepos for listing repositories from the organization, reusing the githubrepo code and logic.

Examples

Scan a list

scorecard --repos=ossf/scorecard,ossf-tests/scorecard-check-branch-protection-e2e

Scan all non-archived repos in an org

scorecard --org=github.com/ossf

• PR title follows the guidelines defined in our pull request documentation

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #4792

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

Added CLI flags to scan multiple repositories `--repos`, or an entire GitHub organization `--org`

[codecov]

Codecov Report

❌ Patch coverage is 33.81295% with 92 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.47%. Comparing base (353ed60) to head (a22d201).
⚠️ Report is 266 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4793      +/-   ##
==========================================
+ Coverage   66.80%   69.47%   +2.67%     
==========================================
  Files         230      250      +20     
  Lines       16602    15589    -1013     
==========================================
- Hits        11091    10831     -260     
+ Misses       4808     3891     -917     
- Partials      703      867     +164     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[spencerschrock]

Did a partial review of a few things before I ran out of time, I need to dive more into how you build the repo list, scan repos, and present the results. Feel free to address that feedback now or wait until I have more time for full review

[spencerschrock]

Also, this repo requires DCO.

scorecard/CONTRIBUTING.md

Lines 10 to 14 in 2864c76

	> Additionally the Linux Foundation (LF) requires all contributions include per-commit sign-offs.
	> Ensure you use the `-s` or `--signoff` flag for every commit.
	>
	> For more details, see the [LF DCO wiki](https://wiki.linuxfoundation.org/dco)
	> or [this Pi-hole signoff guide](https://docs.pi-hole.net/guides/github/how-to-signoff/).

For instructions on how to fix it:
https://github.com/ossf/scorecard/pull/4793/checks?check_run_id=50569515731

[spencerschrock]

Just wanted to update you that this is still on my radar! We are trying to cut a 5.3.0 release this week, so my attention has been on that. But once that's cut this week, I will make time to finish. my review, and happy to cut a 5.4.0 or 5.3.1 shortly after

[spencerschrock]

I like this approach overall, I think building a slice of repos and looping over them is the correct approach. Most of my issue is with the --combined output format, is there anyway we can split that into its own PR? I think that would help get --repos and --org merged first.

[github-actions]

This pull request has been marked stale because it has been open for 10 days with no activity

[gabrielsoltz]

Hey @spencerschrock, thank you so much for reviewing my PR — and sorry it took me a while to address your comments; I couldn’t get to it earlier. I left two small cosmetic notes (one about the banners and one about the URI) for us to discuss. Whenever you have a moment, this is ready for another review. ✌️

[spencerschrock]

Whenever you have a moment, this is ready for another review

I will get to this tomorrow, thanks for your patience.

[spencerschrock]

In the interest of getting this merged, I cut out the --format=combined logic, which can be added in a follow-up when the author has time by reverting my removal commit and addressing followups.

My approval is good for all of the code written by the author, but I'll request @AdamKorcz to review my removal of the combined format code:
a22d201

[justaugustus]

Approving for a22d201.
ref: #4793 (review)

[spencerschrock]

Thanks Stephen, and of course thanks Gabriel for the multi repo logic!