✨ Skip checks that don't apply to the current repo type (#5000)

JamieMagee · web-flow · commit 81b380477e3b · 2026-04-08T19:10:12.000Z
* ✨ Skip checks that don't apply to the current repo type

Scorecard's Azure DevOps support runs every check regardless of
whether it makes sense for the platform. Checks like
Dangerous-Workflow and Token-Permissions look exclusively at
GitHub Actions files and produce misleading results on non-GitHub
repos.

The repos field in checks.yaml already listed supported platforms
per check, but nothing enforced it at runtime. Now GetEnabled
reads that field and drops checks that don't list the repo's
platform.

- Add RepoType to the Repo interface (GitHub, GitLab,
  Azure DevOps, local) with implementations on all four concrete
  types and the mock
- Pass RepoType through to policy.GetEnabled, which filters
  checks against checks.yaml's repos field
- Tag 11 checks as supporting Azure DevOps based on which
  client methods are actually implemented

Signed-off-by: Jamie Magee &lt;jamie.magee@gmail.com&gt;

* Fix repo-type filtering: cache docs, case-insensitive lookup, pass type in serve

- Parse checks.yaml once per GetEnabled call instead of per-check
- Use case-insensitive check name lookup so CLI args like
  'binary-artifacts' don't bypass the repo-type filter
- Pass repo.Type() in serve.go where the repo is already available

Signed-off-by: Jamie Magee &lt;jamie.magee@gmail.com&gt;

* Skip docs parsing when repoType is empty, use O(1) lookup map

- Only call docs.Read() when repoType is non-empty
- Build a lowercased name -&gt; supported types map once per
  GetEnabled call instead of O(N) GetChecks() scan per check

Signed-off-by: Jamie Magee &lt;jamie.magee@gmail.com&gt;

* Cache parsed checks.yaml with sync.Once in docs.Read()

The embedded YAML is immutable at runtime, so parsing it
once and reusing the result is safe. Avoids repeated
unmarshalling across GetEnabled calls in cron/multi-repo
paths.

Signed-off-by: Jamie Magee &lt;jamie.magee@gmail.com&gt;

* Fix lint: rename cachedErr to errCachedRead, fix var block ordering

Signed-off-by: Jamie Magee &lt;jamie.magee@gmail.com&gt;

---------

Signed-off-by: Jamie Magee &lt;jamie.magee@gmail.com&gt;
diff --git a/clients/azuredevopsrepo/repo.go b/clients/azuredevopsrepo/repo.go
@@ -100,6 +100,11 @@ func (r *Repo) Metadata() []string {
 	return r.metadata
 }
 
+// Type implements Repo.Type.
+func (r *Repo) Type() clients.RepoType {
+	return clients.RepoTypeAzureDevOps
+}
+
 // Path() implements RepoClient.Path.
 func (r *Repo) Path() string {
 	return fmt.Sprintf("%s/%s/%s/%s", r.organization, r.project, "_git", r.name)
diff --git a/clients/githubrepo/repo.go b/clients/githubrepo/repo.go
@@ -112,6 +112,11 @@ func (r *Repo) Metadata() []string {
 	return r.metadata
 }
 
+// Type implements Repo.Type.
+func (r *Repo) Type() clients.RepoType {
+	return clients.RepoTypeGitHub
+}
+
 func (r *Repo) commitExpression() string {
 	if strings.EqualFold(r.commitSHA, clients.HeadSHA) {
 		// TODO(#575): Confirm that this works as expected.
diff --git a/clients/gitlabrepo/repo.go b/clients/gitlabrepo/repo.go
@@ -166,6 +166,11 @@ func (r *Repo) Metadata() []string {
 	return r.metadata
 }
 
+// Type implements Repo.Type.
+func (r *Repo) Type() clients.RepoType {
+	return clients.RepoTypeGitLab
+}
+
 // Path() implements RepoClient.Path.
 func (r *Repo) Path() string {
 	return fmt.Sprintf("%s/%s", r.owner, r.project)
diff --git a/clients/localdir/repo.go b/clients/localdir/repo.go
@@ -69,6 +69,11 @@ func (r *Repo) AppendMetadata(m ...string) {
 	r.metadata = append(r.metadata, m...)
 }
 
+// Type implements Repo.Type.
+func (r *Repo) Type() clients.RepoType {
+	return clients.RepoTypeLocal
+}
+
 // Path() implements RepoClient.Path.
 func (r *Repo) Path() string {
 	return r.path
diff --git a/clients/mockclients/repo.go b/clients/mockclients/repo.go
diff --git a/clients/repo.go b/clients/repo.go
@@ -14,6 +14,20 @@
 
 package clients
 
+// RepoType identifies the hosting platform of a repository.
+type RepoType string
+
+const (
+	// RepoTypeGitHub represents a GitHub-hosted repository.
+	RepoTypeGitHub RepoType = "GitHub"
+	// RepoTypeGitLab represents a GitLab-hosted repository.
+	RepoTypeGitLab RepoType = "GitLab"
+	// RepoTypeAzureDevOps represents an Azure DevOps-hosted repository.
+	RepoTypeAzureDevOps RepoType = "Azure DevOps"
+	// RepoTypeLocal represents a local directory.
+	RepoTypeLocal RepoType = "local"
+)
+
 // Repo interface uniquely identifies a repo.
 type Repo interface {
 	// Path returns the specifier of the repository within its forge
@@ -29,4 +43,6 @@ type Repo interface {
 	IsValid() error
 	Metadata() []string
 	AppendMetadata(metadata ...string)
+	// Type returns the hosting platform type.
+	Type() RepoType
 }
diff --git a/cmd/root.go b/cmd/root.go
@@ -160,7 +160,7 @@ func rootCmd(o *options.Options) error {
 	// this call to policy is different from the one in scorecard.Run
 	// this one is concerned with a policy file, while the scorecard.Run call is
 	// more concerned with the supported request types
-	enabledChecks, err := policy.GetEnabled(pol, o.Checks(), requiredRequestTypes)
+	enabledChecks, err := policy.GetEnabled(pol, o.Checks(), requiredRequestTypes, "")
 	if err != nil {
 		return fmt.Errorf("GetEnabled: %w", err)
 	}
diff --git a/cmd/serve.go b/cmd/serve.go
@@ -154,7 +154,7 @@ func (s *server) handleScorecard(w http.ResponseWriter, r *http.Request) {
 	if !strings.EqualFold(opts.Commit, clients.HeadSHA) {
 		requiredRequestTypes = append(requiredRequestTypes, checker.CommitBased)
 	}
-	enabledChecks, err := policy.GetEnabled(nil, opts.Checks(), requiredRequestTypes)
+	enabledChecks, err := policy.GetEnabled(nil, opts.Checks(), requiredRequestTypes, repo.Type())
 	if err != nil {
 		http.Error(w, fmt.Sprintf("GetEnabled: %v", err), http.StatusInternalServerError)
 		return
diff --git a/cron/internal/worker/main.go b/cron/internal/worker/main.go
@@ -211,7 +211,7 @@ func processRequest(ctx context.Context,
 			commitSHA = repoReq.GetCommit()
 			requiredRequestType = append(requiredRequestType, checker.CommitBased)
 		}
-		checksToRun, err := policy.GetEnabled(nil /*policy*/, nil /*checks*/, requiredRequestType)
+		checksToRun, err := policy.GetEnabled(nil /*policy*/, nil /*checks*/, requiredRequestType, repo.Type())
 		if err != nil {
 			return fmt.Errorf("error during policy.GetEnabled: %w", err)
 		}
diff --git a/docs/checks/impl.go b/docs/checks/impl.go
@@ -19,6 +19,7 @@ import (
 	"errors"
 	"fmt"
 	"strings"
+	"sync"
 
 	"github.com/ossf/scorecard/v5/docs/checks/internal"
 	sce "github.com/ossf/scorecard/v5/errors"
@@ -28,6 +29,12 @@ var errCheckNotExist = errors.New("check does not exist")
 
 const docURL = "https://github.com/ossf/scorecard/blob/%s/docs/checks.md"
 
+var (
+	readOnce      sync.Once
+	errCachedRead error
+	cachedDoc     Doc
+)
+
 // DocImpl implements `Doc` interface and
 // contains checks' documentation.
 //
@@ -37,15 +44,18 @@ type DocImpl struct {
 }
 
 // Read loads the checks' documentation.
+// The embedded YAML is parsed once and cached for subsequent calls.
 func Read() (Doc, error) {
-	m, e := internal.ReadDoc()
-	if e != nil {
-		d := DocImpl{}
-		return &d, fmt.Errorf("internal.ReadDoc: %w", e)
-	}
-
-	d := DocImpl{internaldoc: m}
-	return &d, nil
+	readOnce.Do(func() {
+		m, e := internal.ReadDoc()
+		if e != nil {
+			cachedDoc = &DocImpl{}
+			errCachedRead = fmt.Errorf("internal.ReadDoc: %w", e)
+			return
+		}
+		cachedDoc = &DocImpl{internaldoc: m}
+	})
+	return cachedDoc, errCachedRead
 }
 
 // GetCheck returns the information for check `name`.
diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml
@@ -51,7 +51,7 @@ checks:
   Dependency-Update-Tool:
     risk: High
     tags: supply-chain, security, dependencies
-    repos: GitHub, local
+    repos: GitHub, Azure DevOps, local
     short: Determines if the project uses a dependency update tool.
     description: |
       Risk: `High` (possibly vulnerable to attacks on known flaws)
@@ -89,7 +89,7 @@ checks:
   Binary-Artifacts:
     risk: High
     tags: supply-chain, security, dependencies
-    repos: GitHub, GitLab, local
+    repos: GitHub, GitLab, Azure DevOps, local
     short: Determines if the project has generated executable (binary) artifacts in the source repository.
     description: |
       Risk: `High` (non-reviewable code)
@@ -140,7 +140,7 @@ checks:
   Branch-Protection:
     risk: High
     tags: supply-chain, security, source-code, code-reviews
-    repos: GitHub, GitLab
+    repos: GitHub, GitLab, Azure DevOps
     short: Determines if the default and release branches are protected with GitHub's branch protection settings.
     description: |
       Risk: `High` (vulnerable to intentional malicious code injection)
@@ -226,7 +226,7 @@ checks:
   CI-Tests:
     risk: Low
     tags: supply-chain, testing
-    repos: GitHub, GitLab
+    repos: GitHub, GitLab, Azure DevOps
     short: Determines if the project runs tests before pull requests are merged.
     description: |
       Risk: `Low` (possible unknown vulnerabilities)
@@ -286,7 +286,7 @@ checks:
   Code-Review:
     risk: High
     tags: supply-chain, security, source-code, code-reviews
-    repos: GitHub
+    repos: GitHub, Azure DevOps
     short: Determines if the project requires human code review before pull requests (aka merge requests) are merged.
     description: |
       Risk: `High` (unintentional vulnerabilities or possible injection of malicious
@@ -359,7 +359,7 @@ checks:
   Contributors:
     risk: Low
     tags: source-code
-    repos: GitHub
+    repos: GitHub, Azure DevOps
     short: Determines if the project has a set of contributors from multiple organizations (e.g., companies).
     description: |
       Risk: `Low` (lower number of trusted code reviewers)
@@ -466,7 +466,7 @@ checks:
   Pinned-Dependencies:
     risk: Medium
     tags: supply-chain, security, dependencies
-    repos: GitHub, local
+    repos: GitHub, Azure DevOps, local
     short: Determines if the project has declared and pinned the dependencies of its build process.
     description: |
       Risk: `Medium` (possible compromised dependencies)
@@ -532,7 +532,7 @@ checks:
   SAST:
     risk: Medium
     tags: supply-chain, security, testing
-    repos: GitHub
+    repos: GitHub, Azure DevOps
     short: Determines if the project uses static code analysis.
     description: |
       Risk: `Medium` (possible unknown bugs)
@@ -603,7 +603,7 @@ checks:
   Security-Policy:
     risk: Medium
     short: Determines if the project has published a security policy.
-    repos: GitHub
+    repos: GitHub, Azure DevOps
     tags: supply-chain, security, policy
     description: |
       Risk: `Medium` (possible insecure reporting of vulnerabilities)
@@ -746,7 +746,7 @@ checks:
   Vulnerabilities:
     risk: High
     tags: supply-chain, security, vulnerabilities
-    repos: GitHub
+    repos: GitHub, Azure DevOps
     short: Determines if the project has open, known unfixed vulnerabilities.
     description: |
       Risk: `High`  (known vulnerabilities)
@@ -810,7 +810,7 @@ checks:
   License:
     risk: Low
     tags: license
-    repos: GitHub, local
+    repos: GitHub, Azure DevOps, local
     short: Determines if the project has defined a license.
     description: |
       Risk: `Low` (possible impediment to security review)
diff --git a/pkg/scorecard/scorecard.go b/pkg/scorecard/scorecard.go
@@ -425,7 +425,7 @@ func Run(ctx context.Context, repo clients.Repo, opts ...Option) (Result, error)
 		requiredRequestTypes = append(requiredRequestTypes, checker.CommitBased)
 	}
 
-	checksToRun, err := policy.GetEnabled(nil, c.checks, requiredRequestTypes)
+	checksToRun, err := policy.GetEnabled(nil, c.checks, requiredRequestTypes, repo.Type())
 	if err != nil {
 		return Result{}, fmt.Errorf("getting enabled checks: %w", err)
 	}
diff --git a/pkg/scorecard/scorecard_test.go b/pkg/scorecard/scorecard_test.go
@@ -166,6 +166,7 @@ func TestRun(t *testing.T) {
 			repo := mockrepo.NewMockRepo(ctrl)
 
 			repo.EXPECT().URI().Return(tt.args.uri).AnyTimes()
+			repo.EXPECT().Type().Return(clients.RepoTypeGitHub).AnyTimes()
 
 			mockRepoClient.EXPECT().InitRepo(repo, tt.args.commitSHA, 0).Return(nil)
 
@@ -281,6 +282,7 @@ func TestRun_WithProbes(t *testing.T) {
 
 			repo.EXPECT().URI().Return(tt.args.uri).AnyTimes()
 			repo.EXPECT().Host().Return("github.com").AnyTimes()
+			repo.EXPECT().Type().Return(clients.RepoTypeGitHub).AnyTimes()
 
 			mockRepoClient.EXPECT().InitRepo(repo, tt.args.commitSHA, 0).Return(nil)
 			mockRepoClient.EXPECT().URI().Return(repo.URI()).AnyTimes()
diff --git a/policy/policy.go b/policy/policy.go
@@ -25,6 +25,8 @@ import (
 
 	"github.com/ossf/scorecard/v5/checker"
 	"github.com/ossf/scorecard/v5/checks"
+	"github.com/ossf/scorecard/v5/clients"
+	docs "github.com/ossf/scorecard/v5/docs/checks"
 	sce "github.com/ossf/scorecard/v5/errors"
 )
 
@@ -143,9 +145,21 @@ func GetEnabled(
 	sp *ScorecardPolicy,
 	argsChecks []string,
 	requiredRequestTypes []checker.RequestType,
+	repoType clients.RepoType,
 ) (checker.CheckNameToFnMap, error) {
 	enabledChecks := checker.CheckNameToFnMap{}
 
+	// Build a case-insensitive repo-type lookup map once, only when needed.
+	var repoTypeLookup map[string][]string
+	if repoType != "" {
+		if d, err := docs.Read(); err == nil {
+			repoTypeLookup = make(map[string][]string)
+			for _, c := range d.GetChecks() {
+				repoTypeLookup[strings.ToLower(c.GetName())] = c.GetSupportedRepoTypes()
+			}
+		}
+	}
+
 	switch {
 	case len(argsChecks) != 0:
 		// Populate checks to run with the `--repo` CLI argument.
@@ -156,6 +170,9 @@ func GetEnabled(
 						fmt.Sprintf("Unsupported RequestType %s by check: %s",
 							fmt.Sprint(requiredRequestTypes), checkName))
 			}
+			if !isSupportedRepoType(repoTypeLookup, checkName, repoType) {
+				continue
+			}
 			if !enableCheck(checkName, &enabledChecks) {
 				return enabledChecks,
 					sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("invalid check: %s", checkName))
@@ -165,9 +182,9 @@ func GetEnabled(
 		// Populate checks to run with policy file.
 		for checkName := range sp.GetPolicies() {
 			if !isSupportedCheck(checkName, requiredRequestTypes) {
-				// We silently ignore the check, like we do
-				// for the default case when no argsChecks
-				// or policy are present.
+				continue
+			}
+			if !isSupportedRepoType(repoTypeLookup, checkName, repoType) {
 				continue
 			}
 
@@ -182,6 +199,9 @@ func GetEnabled(
 			if !isSupportedCheck(checkName, requiredRequestTypes) {
 				continue
 			}
+			if !isSupportedRepoType(repoTypeLookup, checkName, repoType) {
+				continue
+			}
 			if !enableCheck(checkName, &enabledChecks) {
 				return enabledChecks,
 					sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("invalid check: %s", checkName))
@@ -216,6 +236,27 @@ func isSupportedCheck(checkName string, requiredRequestTypes []checker.RequestTy
 	return len(unsupported) == 0
 }
 
+// isSupportedRepoType checks if a check supports the given repo type
+// using a pre-built lookup map. If the map is nil (docs unavailable or
+// repoType empty) or the check is not found, it defaults to supported.
+func isSupportedRepoType(repoTypeLookup map[string][]string, checkName string, repoType clients.RepoType) bool {
+	if repoTypeLookup == nil {
+		return true
+	}
+
+	supportedTypes, exists := repoTypeLookup[strings.ToLower(checkName)]
+	if !exists {
+		return true
+	}
+
+	for _, t := range supportedTypes {
+		if strings.EqualFold(t, string(repoType)) {
+			return true
+		}
+	}
+	return false
+}
+
 // Enables checks by name.
 func enableCheck(checkName string, enabledChecks *checker.CheckNameToFnMap) bool {
 	if enabledChecks != nil {
diff --git a/policy/policy_test.go b/policy/policy_test.go

Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,7 @@ func rootCmd(o *options.Options) error {`
`160`	`160`	`// this call to policy is different from the one in scorecard.Run`
`161`	`161`	`// this one is concerned with a policy file, while the scorecard.Run call is`
`162`	`162`	`// more concerned with the supported request types`
`163`		`- enabledChecks, err := policy.GetEnabled(pol, o.Checks(), requiredRequestTypes)`
	`163`	`+ enabledChecks, err := policy.GetEnabled(pol, o.Checks(), requiredRequestTypes, "")`
`164`	`164`	`if err != nil {`
`165`	`165`	`return fmt.Errorf("GetEnabled: %w", err)`
`166`	`166`	`}`
Original file line number	Diff line number	Diff line change
`@@ -154,7 +154,7 @@ func (s server) handleScorecard(w http.ResponseWriter, r http.Request) {`
`154`	`154`	`if !strings.EqualFold(opts.Commit, clients.HeadSHA) {`
`155`	`155`	`requiredRequestTypes = append(requiredRequestTypes, checker.CommitBased)`
`156`	`156`	`}`
`157`		`- enabledChecks, err := policy.GetEnabled(nil, opts.Checks(), requiredRequestTypes)`
	`157`	`+ enabledChecks, err := policy.GetEnabled(nil, opts.Checks(), requiredRequestTypes, repo.Type())`
`158`	`158`	`if err != nil {`
`159`	`159`	`http.Error(w, fmt.Sprintf("GetEnabled: %v", err), http.StatusInternalServerError)`
`160`	`160`	`return`
Original file line number	Diff line number	Diff line change
`@@ -211,7 +211,7 @@ func processRequest(ctx context.Context,`
`211`	`211`	`commitSHA = repoReq.GetCommit()`
`212`	`212`	`requiredRequestType = append(requiredRequestType, checker.CommitBased)`
`213`	`213`	`}`
`214`		`- checksToRun, err := policy.GetEnabled(nil /policy/, nil /checks/, requiredRequestType)`
	`214`	`+ checksToRun, err := policy.GetEnabled(nil /policy/, nil /checks/, requiredRequestType, repo.Type())`
`215`	`215`	`if err != nil {`
`216`	`216`	`return fmt.Errorf("error during policy.GetEnabled: %w", err)`
`217`	`217`	`}`