Thanks for pointing me to that. But for me it looks like a different problem. Scorecard does not say that SAST is not detected, it says: "SAST tool detected but not run on all commmits".

My mistake, we recently changed how we look for the workflow file, so I had assumed that was it.

In terms of detecting it on all commits, I see this when running Scorecard

go run main.go --repo google/brotli --checks SAST --show-details --verbosity debug --show-details --format json | jq

    {
      "details": [
        "Debug: tool detected: github-code-scanning",
        "Debug: tool detected: github-code-scanning",
        "Warn: 2 commits out of 5 are checked with a SAST tool",
        "Warn: CodeQL tool not detected"
      ],
      "score": 4,
      "reason": "SAST tool is not run on all commits -- score normalized to 4",
      "name": "SAST",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast",
        "short": "Determines if the project uses static code analysis."
      }
    }

The offending PRs seem to be empty PRs from Copybara:

List of pull requests without CI test: 1039, 1035, 1021

For each of the last 30 commits, Scorecard looks at the associated PR and then the last commit in that PR to look for the SAST tool. So the current logic doesn't count direct pushes to main, but rather that a SAST tool is run on a PR before merging. There has been some discussion on that here ossf/scorecard#1580

Bug: SAST is calculated incorrectly #1231

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions