Fosstars ratings
This action calculates a security rating or an OSS rule of play rating for an open source project. The rating contains a score and a label. The score is a number from 0 to 10.
It shows how well the project cares about security or open source community/maintenance aspects. The ratings take several aspects into account. You can find all the details regarding the various aspects in the section "What the security rating takes into account" of the security rating documentation and the section "What the OSS rules of play rating takes into account" of the OSS rules of play documentation. Additional information about Fosstars, how the ratings are calculated and related content is available in the documentation as well.
Fosstars uses only publicly available data about open source projects.
The action creates a detailed report that explains how the rating was calculated. In addition, the report contains recommendations for improving the respective rating.
Badges
The action generates one of the following badges that reflect the labels of the respective ratings (see security or OSS rules of play):
Security
OSS Rules of Play
The report and the badge are stored in a specified branch.
Inputs
rating
Required The rating this action should determine, can be security or oss-rules-of-play. Default security.
report-branch
Required A branch where the report and the badge should be stored. Default fosstars.
fosstars-version
Required A version of Fosstars
to be used for calculating a rating. Default v1.7.0.
token
Required A token for fetching data about the project via GitHub API, and for committing the report and badge to the specified branch.
report-file
Optional A file name for the report. Default fosstars_report.md.
badge-file
Optional A file name for the badge. Default fosstars_badge.svg.
data-provider-config-urls
Optional A comma-separated list of data provider configuration URLs.
The individual file names need to have the format ProviderClassName.yaml or ProviderClassName.config.yaml.
As some data providers of the OSS Rules of Play rating require configuration files to work correctly, SAP default configuration files are being used if the oss-rules-of-play rating is specified and no configuration URLs are passed to the action.
How to use it
Here is an example workflow that updates the report every day, or when a commit is pushed.
The report is stored to the fosstars-report branch.
name: "Fosstars"
on:
push:
branches:
- main
schedule:
- cron: "0 0 * * *"
jobs:
create_fosstars_report:
runs-on: ubuntu-latest
name: "Security rating"
steps:
- uses: actions/[email protected]
- uses: SAP/[email protected]
with:
rating: security
report-branch: fosstars-report
report-file: fosstars_security_rating.md
badge-file: fosstars_security_rating.svg
token: ${{ secrets.GITHUB_TOKEN }}
data-provider-config-urls: https://raw.githubusercontent.com/your-org/your-repo/main/conf/ReadmeInfo.config.yml,https://raw.githubusercontent.com/your-org/your-repo/main/conf/ContributingGuidelineInfo.config.yml,https://raw.githubusercontent.com/your-org/your-repo/main/conf/LicenseInfo.config.yml
The badge will be stored to the same branch. It can be used in a README file:
[](https://github.com/your-organisation/your-project/blob/fosstars-report/fosstars_security_rating.md)
Example
Check out an example workflow that runs the action. The workflow stores a report in fosstars-report branch.
Known issues
Please see GitHub issues.
Support
Please create a new GitHub issue if you found a bug, or you'd like to suggest an enhancement. If you think you found a security issue, please follow this guideline.
If you have a question, please open a discussion.
Contributing
We appreciate feedback, ideas for improvements and, of course, pull requests.
Please follow this guideline if you'd like to contribute to the project.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent