Here is a list of the details that must be in sync between your SOOS account, open source package(s) and source repository(ies) to meet the required criteria for the Community Edition.

Manifests & Packages

To scan a GitHub repository, it must contain a manifest file in a format supported by SOOS.  Click to view the full list of Supported Languages and Manifests.  The manifest must declare a package that is public and published to a supported Package Manager.  The list of supported Package Managers can also be seen in the article linked above.

Package-to-GitHub Repository Link

Within the metadata of an open source package, a reference must be made back to the source GitHub repository.  The method to do this differs by package manager, but usually can be accomplished through a repository URL, homepage URL, or project URL metadata property.  This is defined when the package is published or within the manifest file.

Example: The soos-sca Python package is linked to the corresponding GitHub repository through the Source property.  The repository URL https://github.com/soos-io/soos-ci-analysis-python is defined in the setup.cfg file here: https://github.com/soos-io/soos-ci-analysis-python/blob/main/setup.cfg

Without this linkage SOOS Community cannot verify that the origin of the package is the repository being scanned.  If this link is missing, either the scan will error or you will be prevented from creating the Project/Package link in the SOOS UI.  To correct this error, add the appropriate link and re-publish the package.

GitHub Repository Matching

The GitHub organization that has been integrated with the SOOS account must be the same organization that the package originates from.  Additionally, the repository being scanned must match the repository defined in the package metadata.

Example: The soos-sca package ID originates in the soos-ci-analysis-python repository.  If that same package ID is referenced in the soos-integration-java-core repository, and then that repository is scanned by SOOS Community Edition, the scan will fail because the package is not appropriately linked to the repository being scanned.

Unique Package Linking

If a GitHub repository has multiple contributors, any of them may create a SOOS Community account to integrate with that repository, and establish a link to a project & package within the repository to begin scanning.  If a second contributor creates a separate SOOS Community account and integrates with the same repository, the following error message will display when attempting to create a link to the same project and package within the repository.  

Error message indicating an open source package has already been linked to a SOOS Community account

Packages may only be linked to one unique SOOS Community account.  To get past this error, either the initial contributor must unlink the package so the second contributor can link to it, or the initial contributor must invite the second contributor to join their SOOS account to be able to access that package and scan data.

Scanning GitHub Repository Forks

Repository forks can be scanned, as long as the forked repository publishes a package ID that is unique from the original and the new package references the forked repository URL.  Refer to Package-to-GitHub Repository Link section above.

Out of Date Badge

If SOOS fails to detect a badge in the README for your repository, we will prompt you to re-add the badge markdown and will disable scanning until you add the badge. As soon as we detect the presence of the badge we will automatically re-enable scanning.

SOOS UI warning message indicating that a badge has not been correctly added to a linked public GitHub repository

Scanning GitHub Repositories without a Public Package

Open Source repositories which do not contain a package published to a public registry will satisfy the badge requirement using a scan-based badge.  Read here about the different types of SOOS Badges.