scorecard: consolidate to single scRun() call#807
Open
justaugustus wants to merge 3 commits intomainfrom
Open
Conversation
dosubot
bot
added
the
size:L
justaugustus
changed the title
scRun() call
Archive the completed evidence-upload proposal to openspec/changes/archive/2026-03-28-evidence-upload/ per OpenSpec convention. Add a new proposal to consolidate the N+1 Scorecard check execution into a single sc.Run() call. Currently when upload.sarif is enabled, checks run N times individually (per-check loop) plus once as a batch (SARIF generation), doubling the compute and API cost. Investigation confirms Scorecard's Run() handles per-check errors gracefully (captured in CheckResult.Error, not as top-level error), making consolidation safe. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
Replace the per-check loop (N sequential scRun() calls) plus the separate SARIF batch scRun() call with a single batch scRun() call. This eliminates N redundant check executions when upload.sarif is enabled, reducing CPU, I/O, and API cost. Key changes: - Check() now calls scRun() once with all valid checks, then iterates Result.Checks for issue text generation - uploadSARIF() renamed to uploadSARIFResult() and accepts an existing *sc.Result instead of re-running checks - Unknown check names are filtered before Run() and skipped with a warning (previously broke the loop, losing subsequent checks) - Per-check errors are skipped with a warning (previously broke the loop, losing subsequent checks) This is safe because Scorecard's Run() executes all checks concurrently in separate goroutines and captures per-check errors in CheckResult.Error rather than aborting the entire run. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
justaugustus
force-pushed
the
consolidate-check-execution
branch
from
55b04fe to
f17e651
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidate the Scorecard policy's check execution from N+1
scRun()calls to a single batch call, eliminating redundant check execution when SARIF upload is enabled.Motivation
When
upload.sarif: trueis configured, every Scorecard check runs N+1 times — N times individually in the per-check loop (for issue text), then once more as a batch inuploadSARIF()(for SARIF + results collection). This doubles the CPU, I/O, and API cost of every scan.Investigation of Scorecard's
Run()function confirms batch execution is safe: all checks run concurrently in separate goroutines, per-check errors are captured inCheckResult.Error(not as a top-level error), andResult.Checksalways contains all results.Changes
Check()now callsscRun()once with all valid checks, then iteratesResult.Checksfor issue text generationuploadSARIF()renamed touploadSARIFResult()— accepts an existing*sc.Resultinstead of re-running checksRun()and skipped (previously broke the loop, losing subsequent checks)evidence-uploadOpenSpec proposal toopenspec/changes/archive/Net result: -41 lines of code, simpler control flow, better error resilience.
Behavioral changes
Test plan
go vetcleango buildclean🤖 Generated with Claude Code