feat: Add schema for project BPB files #2260
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Eddie Knight <[email protected]>
Signed-off-by: Eddie Knight <[email protected]>
eddie-knight
force-pushed
the
feat/answer-schema
branch
from
eb79c75 to
f3b1edc
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
While working on the upcoming release for Security Insights v2, I began considering the suggestions from @david-a-wheeler in ossf/security-insights-spec#94.
Problem
While I was able to quickly add some of the suggested values to SIv2, there are a great deal more that didn't get included either due to incompatibility or simply oversight. The gap is massive between SI and BPB, where both provide unique but related value to users.
Solution
There is potential to create more value by allowing project contributors to specify their best practices status in security insights, but maintain their BPB answers in a static version controlled location that can be linked from the SI file.
In a future PR, we can add a feature to BPB that will inspect the project's answers file to issue a badge.
In this Pull Request
This PR includes a Cue schema which will allow for validation of YAML, JSON flavors, and TOML files containing answers to the best practices badge criteria. A corresponding YAML file is included.
The schema matches the pattern and layout of the web form, always requires
Passingto be complete, and additionally requiresSilverto be completed before moving on toGold.Note
Cue was selected for simplicity of maintenance and use.
To validate a YAML or JSON file, install Cue and then run this command format:
cue vet schema.cue example-full.yml