Extension candidate: git-pkgs-scorecard. Self-contained, calls one external API, doesn't need the git-pkgs database. Can read the dependency list from git pkgs list --format json and query the scorecard API independently. Most users won't need scorecard data, so keeping it out of the core binary avoids bloat.
The enrichment/scorecard/scorecard.go client already exists as a Go library and can be imported directly by the extension, so there's no need to reimplement the API client.
A git pkgs scorecard command would iterate over dependencies that have known repository URLs (from enrichment or forges), fetch their scorecard results, and display them. Useful flags: --below N to filter to packages scoring below a threshold, and maybe --checks Maintained,Dangerous-Workflow to show specific checks only.
Structured JSON output would let tools apply thresholds programmatically instead of curling the API themselves. For reference, OpenSSF scores below 5 warrant a closer look, and Maintained or Dangerous-Workflow below 3 are higher risk.
Extension candidate:
git-pkgs-scorecard. Self-contained, calls one external API, doesn't need the git-pkgs database. Can read the dependency list fromgit pkgs list --format jsonand query the scorecard API independently. Most users won't need scorecard data, so keeping it out of the core binary avoids bloat.The
enrichment/scorecard/scorecard.goclient already exists as a Go library and can be imported directly by the extension, so there's no need to reimplement the API client.A
git pkgs scorecardcommand would iterate over dependencies that have known repository URLs (from enrichment or forges), fetch their scorecard results, and display them. Useful flags:--below Nto filter to packages scoring below a threshold, and maybe--checks Maintained,Dangerous-Workflowto show specific checks only.Structured JSON output would let tools apply thresholds programmatically instead of curling the API themselves. For reference, OpenSSF scores below 5 warrant a closer look, and
MaintainedorDangerous-Workflowbelow 3 are higher risk.