✨ Add multi-repo scanning: --repos, --org, and optional --combined output

[gabrielsoltz]

What kind of change does this PR introduce?

This PR introduces support for scanning multiple repositories in a single invocation, while preserving existing behavior by default. The only user-visible change for single-repo usage is a small improvement to the “Starting/Finished” banners (they now include the repo label).

New flags

• --repos: comma-separated list of repositories to scan (e.g., --repos=owner1/repo1,github.com/owner2/repo2).
• --org: GitHub organization handle (e.g., --org=github.com/ossf or ossf).
• --combined: after scanning N repos, print a single combined table with all checks together with two new extra columns, REPO and AGGREGATED SCORE.

Precedence when multiple inputs are provided: --repos ➜ --org ➜ --local ➜ --repo (or repo resolved from package managers).

UX / output changes

Before (single repo):

Starting [License]
Starting [Code-Review]
...
Finished [License]
Finished [Code-Review]
...

Now (single or multi-repo):

Starting (owner/repo) [License]
Starting (owner/repo) [Code-Review]
...
Finished (owner/repo) [License]
Finished (owner/repo) [Code-Review]
...

This makes it obvious which repo each check belongs to—especially important when scanning many repos.
No other output changes occur unless --combined is used.

When --combined is set, a final COMBINED RESULTS section is emitted after all per-repo results, e.g.:

COMBINED RESULTS
----------------
| REPO                                             | AGGREGATED SCORE | SCORE   | NAME                 | REASON                      | DOCUMENTATION/REMEDIATION                                |
|--------------------------------------------------|------------------|---------|----------------------|-----------------------------|----------------------------------------------------------|
| github.com/ossf-tests/scorecard-check-...        | 3.3 / 10         | 10 / 10 | Binary-Artifacts     | no binaries found in repo   | https://github.com/ossf/scorecard/blob/main/docs/...     |
...

Implementation details

• Introduce buildRepoURLs(ctx, *options.Options) ([]string, error):
• Normalizes the input universe and always returns a slice of repo URIs.
• Honors precedence --repos ➜ --org ➜ --local ➜ single --repo/pkg-manager.
• Refactor rootCmd to iterate over the returned list and run the same scan pipeline for each repo.
• ListOrgRepos for listing repositories from the organization, reusing the githubrepo code and logic.

Examples

Scan a list

scorecard --repos=ossf/scorecard,ossf-tests/scorecard-check-branch-protection-e2e

Scan all non-archived repos in an org

scorecard --org=github.com/ossf

Aggregate across many repos

scorecard --repos=ossf/scorecard,ossf-tests/scorecard-check-branch-protection-e2e --combined

• PR title follows the guidelines defined in our pull request documentation

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #4792

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

[codecov]

Codecov Report

❌ Patch coverage is 31.53153% with 228 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.48%. Comparing base (353ed60) to head (feb0b0e).
⚠️ Report is 259 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4793      +/-   ##
==========================================
+ Coverage   66.80%   67.48%   +0.67%     
==========================================
  Files         230      250      +20     
  Lines       16602    19395    +2793     
==========================================
+ Hits        11091    13088    +1997     
- Misses       4808     5428     +620     
- Partials      703      879     +176     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[spencerschrock]

Did a partial review of a few things before I ran out of time, I need to dive more into how you build the repo list, scan repos, and present the results. Feel free to address that feedback now or wait until I have more time for full review

[spencerschrock]

Also, this repo requires DCO.

scorecard/CONTRIBUTING.md

Lines 10 to 14 in 2864c76

	> Additionally the Linux Foundation (LF) requires all contributions include per-commit sign-offs.
	> Ensure you use the `-s` or `--signoff` flag for every commit.
	>
	> For more details, see the [LF DCO wiki](https://wiki.linuxfoundation.org/dco)
	> or [this Pi-hole signoff guide](https://docs.pi-hole.net/guides/github/how-to-signoff/).

For instructions on how to fix it:
https://github.com/ossf/scorecard/pull/4793/checks?check_run_id=50569515731

[spencerschrock]

Just wanted to update you that this is still on my radar! We are trying to cut a 5.3.0 release this week, so my attention has been on that. But once that's cut this week, I will make time to finish. my review, and happy to cut a 5.4.0 or 5.3.1 shortly after

[spencerschrock]

I like this approach overall, I think building a slice of repos and looping over them is the correct approach. Most of my issue is with the --combined output format, is there anyway we can split that into its own PR? I think that would help get --repos and --org merged first.

[spencerschrock]

is this intended to be only change the behavior if --format=default? Currently when I run something like this, I get the "combined" output instead of "json"

go run main.go --org=ossf-tests --format json --combined

Or should this be it's own format value? e.g.

go run main.go --org=ossf-tests --format combined

[gabrielsoltz]

This was not intended, but after reviewing, I definitely prefer your approach to treat combined as a new format option.

[gabrielsoltz]

This is now changed, now we use --format combined... I intentionally left the start/finish banner for the format default and combined. Maybe these banners should be optional, using another flag (--show-progress or something like that).

[spencerschrock]

this changes the behavior of the scorecard binary. Previously if any check had a runtime error, rootCmd would return an error, which would lead to a non-zero exit code. But now these runtime errors don't lead to an exit code.

I think continuing to scan all repositories is good, but we should "remember" if we saw an error along the way so we can return it at the end

[gabrielsoltz]

Makes sense. I added a small implementation for this using sawRuntimeErr. We can improve it, but I think it already aligns with your point.

[spencerschrock]

Thanks, I may change the implementation in a follow-up as it would just be more effective for me to handle my suggested changes.

[spencerschrock]

let's get rid of repoLabelFromURI and just use uri instead of label

Otherwise it would be confusing when you analyze repos across forges:

--repos=github.com/some/repo,gitlab.com/other/repo

Which one is github? Which one is gitlab? What if they both have the exact same repo name?

Starting (some/repo) [Maintained]
...
Starting (other/repo) [Maintained]

[gabrielsoltz]

Good point. And much easier. Changed.

[gabrielsoltz]

The only cosmetic thing is that running with --org, we will get as uri the full URL, like https://github.com/ossf-tests/scorecard-check-pinned-dependencies-e2e...

[github-actions]

This pull request has been marked stale because it has been open for 10 days with no activity

[gabrielsoltz]

Hey @spencerschrock, thank you so much for reviewing my PR — and sorry it took me a while to address your comments; I couldn’t get to it earlier. I left two small cosmetic notes (one about the banners and one about the URI) for us to discuss. Whenever you have a moment, this is ready for another review. ✌️

[spencerschrock]

Whenever you have a moment, this is ready for another review

I will get to this tomorrow, thanks for your patience.

[spencerschrock]

as written, this only prints the results for the default format, but the comment makes me think it should also apply to the combined format:

if o.Format == options.FormatDefault || o.Format == options.FormatCombined {

[spencerschrock]

Thanks, I may change the implementation in a follow-up as it would just be more effective for me to handle my suggested changes.

[spencerschrock]

with the switch to using the existing format flag, this CombinedOutput field is unused

[spencerschrock]

Can we imply this is just for the table output since the other formats naturally combine their output?

FormatCombinedTable = "combined-table"

[spencerschrock]

one of the reasons I suggested splitting this into a separate PR was to get the other code merged, since I knew I would have trickier feedback on this format that would take another cycle or two.

1. All the other format options are methods on results. Is there a reason you didn't go with that approach instead of FormatCombinedResults:

func (r *Result) AsCombinedTable(writer io.Writer, checkDocs docChecks.Doc, opt *AsStringResultOption) error

2. There's a lot of code overlap with AsString, the main difference is the two additional columns. Instead of duplicating the logic, can you make them use a shared helper function with a flag or something?

e.g.

func (r *Result) AsString(writer io.Writer, checkDocs docChecks.Doc, opt *AsStringResultOption) error {
    combined := false
    return common(writer, checkDocs, opt, combined)
}
func (r *Result) AsCombined(writer io.Writer, checkDocs docChecks.Doc, opt *AsStringResultOption) error {
    combined := true
    return common(writer, checkDocs, opt, combined)
}

and then in `common` you can look at that bool to see if you should add the column or not