{"id":26719352,"url":"https://github.com/erzz/codeclimate-standalone","last_synced_at":"2025-09-03T18:42:33.938Z","repository":{"id":40557130,"uuid":"368211370","full_name":"erzz/codeclimate-standalone","owner":"erzz","description":"Runs a detached version of CodeClimate which reports only in the workflow and does not require the CodeClimate Service","archived":false,"fork":false,"pushed_at":"2025-08-11T14:49:31.000Z","size":42,"stargazers_count":9,"open_issues_count":4,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-08-12T14:23:06.532Z","etag":null,"topics":["code-quality","code-quality-analyzer","codeclimate","quality","testing"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/erzz.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-05-17T14:16:11.000Z","updated_at":"2024-03-17T16:01:27.000Z","dependencies_parsed_at":"2025-04-14T04:07:21.163Z","dependency_job_id":"3c510622-132b-4bc6-8d68-99e47348777a","html_url":"https://github.com/erzz/codeclimate-standalone","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/erzz/codeclimate-standalone","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erzz%2Fcodeclimate-standalone","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erzz%2Fcodeclimate-standalone/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erzz%2Fcodeclimate-standalone/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erzz%2Fcodeclimate-standalone/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/erzz","download_url":"https://codeload.github.com/erzz/codeclimate-standalone/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erzz%2Fcodeclimate-standalone/sbom","scorecard":{"id":382089,"data":{"date":"2025-08-11","repo":{"name":"github.com/erzz/codeclimate-standalone","commit":"49bbc67be9d538347efafbc582846819331f618b"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.8,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/7 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/release.yml:1","Warn: no topLevel permission defined: .github/workflows/sonar.yml:1","Warn: no topLevel permission defined: .github/workflows/tests.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/erzz/codeclimate-standalone/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/erzz/codeclimate-standalone/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sonar.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/erzz/codeclimate-standalone/sonar.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/sonar.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/erzz/codeclimate-standalone/sonar.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/erzz/codeclimate-standalone/tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/erzz/codeclimate-standalone/tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/erzz/codeclimate-standalone/tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/erzz/codeclimate-standalone/tests.yml/main?enable=pin","Info: 0 out of 6 GitHub-owned GitHubAction dependencies pinned","Info: 0 out of 2 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 24 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-18T15:41:57.633Z","repository_id":40557130,"created_at":"2025-08-18T15:41:57.633Z","updated_at":"2025-08-18T15:41:57.633Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273492394,"owners_count":25115596,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-03T02:00:09.631Z","response_time":76,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-quality","code-quality-analyzer","codeclimate","quality","testing"],"created_at":"2025-03-27T17:59:02.084Z","updated_at":"2025-09-03T18:42:33.890Z","avatar_url":"https://github.com/erzz.png","language":null,"readme":"# codeclimate-standalone\n\n[![Tests](https://github.com/erzz/codeclimate-standalone/actions/workflows/tests.yml/badge.svg)](https://github.com/erzz/codeclimate-standalone/actions/workflows/tests.yml)\n\n## Purpose\n\nCode Climate is a great service with pricing and plans for all kinds of users. However there are cases where you may not want to send results to an external service or just want a quick PASS / FAIL based on simple thresholds directly within the workflow with no frills\n\nThis action produces a json report with pass / fail thresholds for the different severities of finding and optionally a readable HTML report that you can upload as a job artifact.\n\nThe action uses the container version of the codeclimate CLI and is configured to your tastes using the same configuration file and settings you would use for the full service.\n\n## Code Climate Configuration\n\nCode Climate has a comprehensive ability to configure via .codeclimate.yml at the root of your project (or using a custom path with this action - see inputs below).\n\nAlthough a configuration is not required (Code Climate will attempt to discover languages used and apply some standard rules), it is highly recommended you provide a configuration that suits your needs as it will provide more satisfactory results and speed up execution as the job will not need to try and discover languages etc.\n\nFor details of Code Climate configuration see:\n\n- https://docs.codeclimate.com/docs/default-analysis-configuration\n- https://docs.codeclimate.com/docs/advanced-configuration\n\n## Available Inputs\n\nNone of the inputs are currently mandatory!\n\n| Input | Default | Details |\n| -------------------- | ---------------- | ------------------------------------------------------------------------------------------- |\n| `config_file` | .codeclimate.yml | Optional relative path to custom location of Code Climate config file (must be yaml format) |\n| `html_report` | false | Set to true if you wish to also have an HTML format report produced |\n| `info_threshold` | 0 | The number of findings of severity INFO allowed before the job returns a failure |\n| `minor_threshold` | 0 | The number of findings of severity MINOR allowed before the job returns a failure |\n| `major_threshold` | 0 | The number of findings of severity MAJOR allowed before the job returns a failure |\n| `critical_threshold` | 0 | The number of findings of severity CRITICAL allowed before the job returns a failure |\n| `blocker_threshold` | 0 | The number of findings of severity BLOCKER allowed before the job returns a failure |\n\n## Outputs\n\nSome simple outputs are provided for use in later steps / jobs\n\n| Output | Details |\n| ------------------- | ------------------------------------------- |\n| `info_findings` | The number of findings of severity INFO |\n| `minor_findings` | The number of findings of severity MINOR |\n| `major_findings` | The number of findings of severity MAJOR |\n| `critical_findings` | The number of findings of severity CRITICAL |\n| `blocker_findings` | The number of findings of severity BLOCKER |\n\n## Potential Artifacts\n\n### codeclimate-report.json\n\nThe default output of this job is the JSON format of the report and it is often useful for further parsing and manipulation.\n\n### codeclimate-report.html\n\nThis report is only available if the input `html_report` is set to true. Useful for a human to read when investigating what the findings were with helpful links and references.\n\n### Collecting artifacts\n\nAs with any other artifact - a simple step such as the following would upload both the JSON and HTML (if enabled) artifacts at the end of the job\n\n```yaml\n- name: Upload Reports\n uses: actions/upload-artifact@v2\n if: always()\n with:\n name: Code Climate Reports\n path: |\n codeclimate-report.json\n codeclimate-report.html\n```\n\n## Examples\n\n### Run a default codeclimate scan\n\nThe main thing to ensure is that you **MUST** checkout your code in a preceding step otherwise there would be nothing to scan!\n\nIf you place your `.codeclimate.yml` at the root of your project then no further configuration is required by default\n\n```yaml\njobs:\n code-quality:\n name: Code Climate Standalone\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v2\n\n - name: Run Code Climate\n uses: erzz/codeclimate-standalone@v0\n```\n\n### Provide your own pass / fail thresholds\n\n```yaml\njobs:\n code-quality:\n name: Code Climate Standalone\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v2\n\n - name: Run Code Climate\n uses: erzz/codeclimate-standalone@v0\n with:\n info_threshold: 10\n minor_threshold: 5\n major_threshold: 1\n critical_threshold: 0\n blocker_threshold: 0\n```\n\n### Run a codeclimate scan with additional HTML report\n\nThere are some limitations with the CLI in that it is not possible to generate two reports from a single scan (AFAIK!). So the first execution will produce a json report which is easier to parse for a pass/fail result.\n\nThis action provides the option `html_report` (defaults to false) to enable a second scan to be executed that produces an additional, much more readable, HTML report which you can upload as an artifact for the developer to use when there are findings.\n\nThe second execution does mean the job takes a little longer, but not by much. Most of the time in the first execution is the Code Climate CLI pulling the various docker images it needs and setting up. As the images are then already pulled by the time a second execution starts - rerunning the scan for the HTML report typically only added 10-20s\n\nIn basic testing of a tiny project (this one!) execution time is typically\n\n- ~1m 50s without HTML report\n- ~2m 10s with HTML report\n\n```yaml\njobs:\n code-quality:\n name: Code Climate Standalone\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v2\n\n - name: Run Code Climate\n uses: erzz/codeclimate-standalone@v0\n with:\n html_report: true\n\n - name: Upload Report\n uses: actions/upload-artifact@v2\n if: always()\n with:\n name: Code Climate Report\n path: codeclimate-report.html\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ferzz%2Fcodeclimate-standalone","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ferzz%2Fcodeclimate-standalone","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ferzz%2Fcodeclimate-standalone/lists"}