Here is a list of the details that must be in sync between your SOOS account, open source package(s) and source repository(ies) to meet the required criteria for the Community Edition.
Manifests & Packages
To scan a GitHub repository, it must contain a manifest file in a format supported by SOOS. Click to view the full list of Supported Languages and Manifests. The manifest must declare a package that is public and published to a supported Package Manager. The list of supported Package Managers can also be seen in the article linked above.
Package-to-GitHub Repository Link
Within the metadata of an open source package, a reference must be made back to the source GitHub repository. The method to do this differs by package manager, but usually can be accomplished through a repository URL, homepage URL, or project URL metadata property. This is defined when the package is published or within the manifest file.
Example: The soos-sca
Python package is linked to the corresponding GitHub repository through the Source
property. The repository URL https://github.com/soos-io/soos-ci-analysis-python is defined in the setup.cfg
file here: https://github.com/soos-io/soos-ci-analysis-python/blob/main/setup.cfg
Without this linkage SOOS Community cannot verify that the origin of the package is the repository being scanned. If this link is missing, either the scan will error or you will be prevented from creating the Project/Package link in the SOOS UI. To correct this error, add the appropriate link and re-publish the package.
GitHub Repository Matching
The GitHub organization that has been integrated with the SOOS account must be the same organization that the package originates from. Additionally, the repository being scanned must match the repository defined in the package metadata.
Example: The soos-sca
package ID originates in the soos-ci-analysis-python
repository. If that same package ID is referenced in the soos-integration-java-core
repository, and then that repository is scanned by SOOS Community Edition, the scan will fail because the package is not appropriately linked to the repository being scanned.
Unique Package Linking
If a GitHub repository has multiple contributors, any of them may create a SOOS Community account to integrate with that repository, and establish a link to a project & package within the repository to begin scanning. If a second contributor creates a separate SOOS Community account and integrates with the same repository, the following error message will display when attempting to create a link to the same project and package within the repository.
Packages may only be linked to one unique SOOS Community account. To get past this error, either the initial contributor must unlink the package so the second contributor can link to it, or the initial contributor must invite the second contributor to join their SOOS account to be able to access that package and scan data.
Scanning GitHub Repository Forks
Repository forks can be scanned, as long as the forked repository publishes a package ID that is unique from the original and the new package references the forked repository URL. Refer to Package-to-GitHub Repository Link section above.
Out of Date Badge
If SOOS fails to detect a badge in the README for your repository, we will prompt you to re-add the badge markdown and will disable scanning until you add the badge. As soon as we detect the presence of the badge we will automatically re-enable scanning.
Scanning GitHub Repositories without a Public Package
Open Source repositories which do not contain a package published to a public registry will satisfy the badge requirement using a scan-based badge. Read here about the different types of SOOS Badges.