Skip to content

Stand up rsrr with check framework, CLI, and initial check set#13

Open
lukpueh wants to merge 1 commit into
eclipse-csi:mainfrom
lukpueh:rsrr-2nd-wave
Open

Stand up rsrr with check framework, CLI, and initial check set#13
lukpueh wants to merge 1 commit into
eclipse-csi:mainfrom
lukpueh:rsrr-2nd-wave

Conversation

@lukpueh
Copy link
Copy Markdown
Contributor

@lukpueh lukpueh commented May 27, 2026
edited
Loading

closes #11, #10, #9, #6 and most of #3

Framework

  • base: introduce Context dataclass (carrying ef_project_id, gh_repo, gh/gl tokens, gl_vuln_kw, shared data dict) and a github_get helper; and BaseCheck (base class).
  • runner: auto-discover Check classes in src/rsrr/checks/, run them in dependency waves via asyncio.gather, skip transitive dependents on failure, treat pre-populated ctx.data entries as already completed, and emit per-check start/ok/err progress lines on stderr
  • cli: Click CLI with rsrr list and rsrr run; flags for --ef-project-id, --gh-repo, --gh-token/GH_TOKEN, --gl-token/GL_TOKEN, --gl-vuln-kw, --ctx-data for incremental result merging

Checks

  • ef_project: Get EF project API results
  • ef_committers: Fetches detailed profile info for each project committer from the EF API
  • ef_inactive_committers: Lists EF committers whose GitHub handle has no commits in the past year
  • ef_cves: Returns advisories from the EF vulnerabilities repo matching the project ID
  • gh_repos: List all GitHub repos for the project
  • gh_repo_clone: Clones the GitHub repo into a temporary directory
  • gh_repo_commit_activity: Returns commit count and committers in the past year for each repo
  • gh_releases: Fetches all releases and counts releases per year
  • gh_alerts: Fetches all Dependabot alerts for a GitHub repo
  • gh_security_advisories: Fetches all security advisories for a GitHub repo
  • gh_private_vulnerability_reporting: Checks if private vulnerability reporting is enabled for a GitHub repo
  • gh_has_dot_github_repo: Checks if each GitHub organization has a .github repo
  • gh_default_security_policy: Checks if each GitHub organization has a default SECURITY.md in its .github repo
  • gh_scorecard: Runs OpenSSF Scorecard against a GitHub repo
  • gh_zizmor: Runs zizmor GitHub Actions security audit on a GitHub repo
  • gl_vulnerability_reports: Searches GitLab vulnerability-reports project for issues matching keywords

Other

  • Add click, httpx runtime deps and pytest/pytest-asyncio dev deps
  • Add tests for base.github_get, the CLI surface, and the runner (discovery, dependency waves, failure propagation, pre-populated data)
  • Add README (install, usage, access-token URLs with minimum scopes) and CLAUDE.md project guide
  • Ignore .venv and result files via .gitignore

@lukpueh @claude
Stand up rsrr with check framework, CLI, and initial check set
77361d0 
Framework
- base: introduce Context dataclass (carrying ef_project_id, gh_repo, gh/gl
  tokens, gl_vuln_kw, shared data dict) and a github_get helper; and
  BaseCheck (base class).
- runner: auto-discover Check classes in src/rsrr/checks/, run them in
  dependency waves via asyncio.gather, skip transitive dependents on failure,
  treat pre-populated ctx.data entries as already completed, and emit per-check
  start/ok/err progress lines on stderr
- cli: Click CLI with `rsrr list` and `rsrr run`; flags for --ef-project-id,
  --gh-repo, --gh-token/GH_TOKEN, --gl-token/GL_TOKEN, --gl-vuln-kw, --ctx-data
  for incremental result merging

Checks
- ef_project: Get EF project API results
- ef_committers: Fetches detailed profile info for each project committer from
  the EF API
- ef_inactive_committers: Lists EF committers whose GitHub handle has no
  commits in the past year
- ef_cves: Returns advisories from the EF vulnerabilities repo matching the
  project ID
- gh_repos: List all GitHub repos for the project
- gh_repo_clone: Clones the GitHub repo into a temporary directory
- gh_repo_commit_activity: Returns commit count and committers in the past
  year for each repo
- gh_releases: Fetches all releases and counts releases per year
- gh_alerts: Fetches all Dependabot alerts for a GitHub repo
- gh_security_advisories: Fetches all security advisories for a GitHub repo
- gh_private_vulnerability_reporting: Checks if private vulnerability
  reporting is enabled for a GitHub repo
- gh_has_dot_github_repo: Checks if each GitHub organization has a .github
  repo
- gh_default_security_policy: Checks if each GitHub organization has a default
  SECURITY.md in its .github repo
- gh_scorecard: Runs OpenSSF Scorecard against a GitHub repo
- gh_zizmor: Runs zizmor GitHub Actions security audit on a GitHub repo
- gl_vulnerability_reports: Searches GitLab vulnerability-reports project for
  issues matching keywords

Other
- Add click, httpx runtime deps and pytest/pytest-asyncio dev deps
- Add tests for base.github_get, the CLI surface, and the runner
  (discovery, dependency waves, failure propagation, pre-populated data)
- Add README (install, usage, access-token URLs with minimum scopes) and
  CLAUDE.md project guide
- Ignore .venv and result files via .gitignore

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Lukas Puehringer <lukas.puehringer@eclipse-foundation.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mbarbero mbarbero mbarbero approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

support caching check results

2 participants

@lukpueh @mbarbero