{"id":18833995,"url":"https://github.com/jetstack/tally","last_synced_at":"2025-11-06T21:03:32.249Z","repository":{"id":65198756,"uuid":"533686537","full_name":"jetstack/tally","owner":"jetstack","description":null,"archived":false,"fork":false,"pushed_at":"2023-11-13T16:42:23.000Z","size":1931,"stargazers_count":14,"open_issues_count":16,"forks_count":0,"subscribers_count":18,"default_branch":"main","last_synced_at":"2025-03-27T18:55:17.626Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jetstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-09-07T09:00:43.000Z","updated_at":"2024-04-24T15:31:22.000Z","dependencies_parsed_at":"2024-06-19T17:36:27.811Z","dependency_job_id":"de26a7fe-5df4-459c-bbe7-2c6b3ff575c5","html_url":"https://github.com/jetstack/tally","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Ftally","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Ftally/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Ftally/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Ftally/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jetstack","download_url":"https://codeload.github.com/jetstack/tally/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248821892,"owners_count":21166978,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T02:06:04.514Z","updated_at":"2025-11-06T21:03:32.208Z","avatar_url":"https://github.com/jetstack.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# tally\n\nFinds [OpenSSF Scorecard](https://github.com/ossf/scorecard) scores for packages\nin a Software Bill of Materials.\n\n⚠️ This tool is currently under active development. There will be breaking changes\nand how it works may change significantly as it matures.\n\n## Usage\n\n### Basic\n\nGenerate an SBOM in CycloneDX JSON format and then scan it with `tally`.\n\nThis uses the [public scorecard API](https://api.securityscorecards.dev/#/) to\nfetch the latest score for each repository.\n\n```\n$ syft prom/prometheus -o cyclonedx-json \u003e bom.json\n$ tally bom.json\nREPOSITORY                            SCORE\ngithub.com/googleapis/google-cloud-go 9.3\ngithub.com/imdario/mergo              9.1\ngithub.com/googleapis/gax-go          8.9\ngithub.com/kubernetes/api             8.2\ngithub.com/azure/go-autorest          8.0\ngithub.com/googleapis/go-genproto     7.9\n...\n```\n\nYou could also pipe the BOM directly to `tally`:\n\n```\n$ syft prom/prometheus -o cyclonedx-json | tally -\n```\n\n### Generate scores\n\nThe public API may not have a score for every discovered repository but `tally`\ncan generate these scores itself when the `-g/--generate` flag is\nset.\n\nScores are generated from the `HEAD` of the repository.\n\nThis requires that the `GITHUB_TOKEN` environment variable is set to a valid\ntoken.\n\n```\n$ export GITHUB_TOKEN=\u003ctoken\u003e\n$ tally -g bom.json\nGenerating score for 'github.com/foo/bar' [---------\u003e..] 68/72\n```\n\nThis may take a while, depending on the number of missing scores.\n\nIf you'd like to generate all the scores yourself, you can disable fetching\nscores from the API with `--api=false`.\n\n### Cache\n\nTo speed up subsequent runs, `tally` will cache scorecard results to a local\ndatabase. You can disable the cache with `--cache=false`.\n\nBy default, `tally` will ignore results that were cached more than 7 days ago.\nThis window can be changed with the `--cache-duration` flag:\n\n```\ntally --cache-duration=20m bom.json\n```\n\nThe cache is stored in the user's home cache directory, which is commonly\nlocated in `~/.cache/tally/cache/`. This can be changed with the `--cache-dir`\nflag.\n\n### Fail on low scores\n\nThe return code will be set to 1 when a score is identified that is less than\nor equal to the value of `--fail-on`:\n\n```\n$ tally --fail-on 3.5 bom.json\n...\nError: found scores \u003c= to 3.50\nexit status 1\n```\n\nThis will not consider packages `tally` has not been able to retrieve a score\nfor.\n\n### Output formats\n\nThe `-o/--output` flag can be used to modify the output format.\n\nBy default, `tally` will output each unique repository and its score:\n\n```\nREPOSITORY                            SCORE\ngithub.com/googleapis/google-cloud-go 9.3\n```\n\nThe `wide` output format will print additional package information:\n\n```\nTYPE   PACKAGE                     REPOSITORY                            SCORE\ngolang cloud.google.com/go/compute github.com/googleapis/google-cloud-go 9.3\n```\n\nThe `json` output will print the full report in JSON format:\n\n```\n$ tally -o json bom.json | jq -r .\n{\n  \"results\": [\n    {\n      \"repository\": \"github.com/googleapis/google-http-java-client\",\n      \"packages\" : [\n        {\n          \"type\": \"maven\",\n          \"name\": \"com.google.http-client/google-http-client-jackson2\"\n        }\n      ],\n      \"result\": {\n        \"date\": \"2023-03-04\",\n        \"repo\": {\n          \"name\": \"github.com/googleapis/google-http-java-client\",\n          \"commit\": \"4e889b702b8bbfb082b7a3234569dc173c1c286d\"\n        },\n        \"scorecard\": {\n          \"version\": \"v4.8.0\",\n          \"commit\": \"c40859202d739b31fd060ac5b30d17326cd74275\"\n        },\n        \"score\": 7,\n        \"checks\": [\n          ...\n        ]\n      }\n    },\n    ...\n  ]\n}\n```\n\n### Print all\n\nNot all packages will have a Scorecard score.\n\nBy default, `tally` will remove results without a score from the output when\nusing `-o short` or `-o wide`.\n\nYou can include all results, regardless of whether they have a score or not, by\nspecifying the `-a/--all` flag.\n\n### BOM formats\n\nSpecify the format of the target SBOM with the `-f/--format` flag.\n\nThe supported SBOM formats are:\n\n- `cyclonedx-json`\n- `cyclonedx-xml`\n- `syft-json`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Ftally","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjetstack%2Ftally","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Ftally/lists"}