This plugin is designed to test a GitHub repository using automated assessments compatible with the Simplified Compliance Infrastructure Layer 4 data types.
Many of the assessments require a Security Insights file to be present at the root of the repository, or ./github/security-insights.yml.
Assessment development is currently addressing the Open Source Project Security Baseline v2025.02.25.
As possible, the goal is to work on the OSPS Baseline maturity levels from the lowest to highest.
We've pushed an image to docker hub for use in GitHub Actions. Many tests are currently pending implementation, and only Maturity Level 1 is currently recommended for use.
You will also need to set up a GitHub personal access token with the repository read permissions. This token should be added to your config file, or — if using the example pipeline below — as a secret in your repository.
While working on tests, the best way to run the plugin is via go run . debug --service=<your-service>. Ensure your local config file is set up correctly beforehand.
You may also pull the code locally and run the local Dockerfile:
- Pull the repo
- Modify
example-config.ymlto use your values, and rename it toconfig.yml - Build the Docker Image:
make docker-build - Run the Docker Image:
make docker-run - Review the output in the directory you've specified in your config file
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
