✨ Skip checks that don't apply to the current repo type

JamieMagee · JamieMagee · commit c2d5a81167b4 · 2026-04-02T21:59:12.000-07:00
Scorecard's Azure DevOps support runs every check regardless of
whether it makes sense for the platform. Checks like
Dangerous-Workflow and Token-Permissions look exclusively at
GitHub Actions files and produce misleading results on non-GitHub
repos.

The repos field in checks.yaml already listed supported platforms
per check, but nothing enforced it at runtime. Now GetEnabled
reads that field and drops checks that don't list the repo's
platform.

- Add RepoType to the Repo interface (GitHub, GitLab,
  Azure DevOps, local) with implementations on all four concrete
  types and the mock
- Pass RepoType through to policy.GetEnabled, which filters
  checks against checks.yaml's repos field
- Tag 11 checks as supporting Azure DevOps based on which
  client methods are actually implemented

Signed-off-by: Jamie Magee &lt;jamie.magee@gmail.com&gt;
diff --git a/clients/azuredevopsrepo/repo.go b/clients/azuredevopsrepo/repo.go
@@ -100,6 +100,11 @@ func (r *Repo) Metadata() []string {
 	return r.metadata
 }
 
+// Type implements Repo.Type.
+func (r *Repo) Type() clients.RepoType {
+	return clients.RepoTypeAzureDevOps
+}
+
 // Path() implements RepoClient.Path.
 func (r *Repo) Path() string {
 	return fmt.Sprintf("%s/%s/%s/%s", r.organization, r.project, "_git", r.name)
diff --git a/clients/githubrepo/repo.go b/clients/githubrepo/repo.go
@@ -112,6 +112,11 @@ func (r *Repo) Metadata() []string {
 	return r.metadata
 }
 
+// Type implements Repo.Type.
+func (r *Repo) Type() clients.RepoType {
+	return clients.RepoTypeGitHub
+}
+
 func (r *Repo) commitExpression() string {
 	if strings.EqualFold(r.commitSHA, clients.HeadSHA) {
 		// TODO(#575): Confirm that this works as expected.
diff --git a/clients/gitlabrepo/repo.go b/clients/gitlabrepo/repo.go
@@ -166,6 +166,11 @@ func (r *Repo) Metadata() []string {
 	return r.metadata
 }
 
+// Type implements Repo.Type.
+func (r *Repo) Type() clients.RepoType {
+	return clients.RepoTypeGitLab
+}
+
 // Path() implements RepoClient.Path.
 func (r *Repo) Path() string {
 	return fmt.Sprintf("%s/%s", r.owner, r.project)
diff --git a/clients/localdir/repo.go b/clients/localdir/repo.go
@@ -69,6 +69,11 @@ func (r *Repo) AppendMetadata(m ...string) {
 	r.metadata = append(r.metadata, m...)
 }
 
+// Type implements Repo.Type.
+func (r *Repo) Type() clients.RepoType {
+	return clients.RepoTypeLocal
+}
+
 // Path() implements RepoClient.Path.
 func (r *Repo) Path() string {
 	return r.path
diff --git a/clients/mockclients/repo.go b/clients/mockclients/repo.go
diff --git a/clients/repo.go b/clients/repo.go
@@ -14,6 +14,20 @@
 
 package clients
 
+// RepoType identifies the hosting platform of a repository.
+type RepoType string
+
+const (
+	// RepoTypeGitHub represents a GitHub-hosted repository.
+	RepoTypeGitHub RepoType = "GitHub"
+	// RepoTypeGitLab represents a GitLab-hosted repository.
+	RepoTypeGitLab RepoType = "GitLab"
+	// RepoTypeAzureDevOps represents an Azure DevOps-hosted repository.
+	RepoTypeAzureDevOps RepoType = "Azure DevOps"
+	// RepoTypeLocal represents a local directory.
+	RepoTypeLocal RepoType = "local"
+)
+
 // Repo interface uniquely identifies a repo.
 type Repo interface {
 	// Path returns the specifier of the repository within its forge
@@ -29,4 +43,6 @@ type Repo interface {
 	IsValid() error
 	Metadata() []string
 	AppendMetadata(metadata ...string)
+	// Type returns the hosting platform type.
+	Type() RepoType
 }
diff --git a/cmd/root.go b/cmd/root.go
@@ -129,7 +129,7 @@ func rootCmd(o *options.Options) error {
 	// this call to policy is different from the one in scorecard.Run
 	// this one is concerned with a policy file, while the scorecard.Run call is
 	// more concerned with the supported request types
-	enabledChecks, err := policy.GetEnabled(pol, o.Checks(), requiredRequestTypes)
+	enabledChecks, err := policy.GetEnabled(pol, o.Checks(), requiredRequestTypes, repo.Type())
 	if err != nil {
 		return fmt.Errorf("GetEnabled: %w", err)
 	}
diff --git a/cron/internal/worker/main.go b/cron/internal/worker/main.go
@@ -205,7 +205,7 @@ func processRequest(ctx context.Context,
 			commitSHA = repoReq.GetCommit()
 			requiredRequestType = append(requiredRequestType, checker.CommitBased)
 		}
-		checksToRun, err := policy.GetEnabled(nil /*policy*/, nil /*checks*/, requiredRequestType)
+		checksToRun, err := policy.GetEnabled(nil /*policy*/, nil /*checks*/, requiredRequestType, repo.Type())
 		if err != nil {
 			return fmt.Errorf("error during policy.GetEnabled: %w", err)
 		}
diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml
@@ -51,7 +51,7 @@ checks:
   Dependency-Update-Tool:
     risk: High
     tags: supply-chain, security, dependencies
-    repos: GitHub, local
+    repos: GitHub, Azure DevOps, local
     short: Determines if the project uses a dependency update tool.
     description: |
       Risk: `High` (possibly vulnerable to attacks on known flaws)
@@ -90,7 +90,7 @@ checks:
   Binary-Artifacts:
     risk: High
     tags: supply-chain, security, dependencies
-    repos: GitHub, GitLab, local
+    repos: GitHub, GitLab, Azure DevOps, local
     short: Determines if the project has generated executable (binary) artifacts in the source repository.
     description: |
       Risk: `High` (non-reviewable code)
@@ -141,7 +141,7 @@ checks:
   Branch-Protection:
     risk: High
     tags: supply-chain, security, source-code, code-reviews
-    repos: GitHub, GitLab
+    repos: GitHub, GitLab, Azure DevOps
     short: Determines if the default and release branches are protected with GitHub's branch protection settings.
     description: |
       Risk: `High` (vulnerable to intentional malicious code injection)
@@ -227,7 +227,7 @@ checks:
   CI-Tests:
     risk: Low
     tags: supply-chain, testing
-    repos: GitHub, GitLab
+    repos: GitHub, GitLab, Azure DevOps
     short: Determines if the project runs tests before pull requests are merged.
     description: |
       Risk: `Low` (possible unknown vulnerabilities)
@@ -287,7 +287,7 @@ checks:
   Code-Review:
     risk: High
     tags: supply-chain, security, source-code, code-reviews
-    repos: GitHub
+    repos: GitHub, Azure DevOps
     short: Determines if the project requires human code review before pull requests (aka merge requests) are merged.
     description: |
       Risk: `High` (unintentional vulnerabilities or possible injection of malicious
@@ -360,7 +360,7 @@ checks:
   Contributors:
     risk: Low
     tags: source-code
-    repos: GitHub
+    repos: GitHub, Azure DevOps
     short: Determines if the project has a set of contributors from multiple organizations (e.g., companies).
     description: |
       Risk: `Low` (lower number of trusted code reviewers)
@@ -466,7 +466,7 @@ checks:
   Pinned-Dependencies:
     risk: Medium
     tags: supply-chain, security, dependencies
-    repos: GitHub, local
+    repos: GitHub, Azure DevOps, local
     short: Determines if the project has declared and pinned the dependencies of its build process.
     description: |
       Risk: `Medium` (possible compromised dependencies)
@@ -532,7 +532,7 @@ checks:
   SAST:
     risk: Medium
     tags: supply-chain, security, testing
-    repos: GitHub
+    repos: GitHub, Azure DevOps
     short: Determines if the project uses static code analysis.
     description: |
       Risk: `Medium` (possible unknown bugs)
@@ -603,7 +603,7 @@ checks:
   Security-Policy:
     risk: Medium
     short: Determines if the project has published a security policy.
-    repos: GitHub
+    repos: GitHub, Azure DevOps
     tags: supply-chain, security, policy
     description: |
       Risk: `Medium` (possible insecure reporting of vulnerabilities)
@@ -746,7 +746,7 @@ checks:
   Vulnerabilities:
     risk: High
     tags: supply-chain, security, vulnerabilities
-    repos: GitHub
+    repos: GitHub, Azure DevOps
     short: Determines if the project has open, known unfixed vulnerabilities.
     description: |
       Risk: `High`  (known vulnerabilities)
@@ -810,7 +810,7 @@ checks:
   License:
     risk: Low
     tags: license
-    repos: GitHub, local
+    repos: GitHub, Azure DevOps, local
     short: Determines if the project has defined a license.
     description: |
       Risk: `Low` (possible impediment to security review)
diff --git a/pkg/scorecard/scorecard.go b/pkg/scorecard/scorecard.go
@@ -425,7 +425,7 @@ func Run(ctx context.Context, repo clients.Repo, opts ...Option) (Result, error)
 		requiredRequestTypes = append(requiredRequestTypes, checker.CommitBased)
 	}
 
-	checksToRun, err := policy.GetEnabled(nil, c.checks, requiredRequestTypes)
+	checksToRun, err := policy.GetEnabled(nil, c.checks, requiredRequestTypes, repo.Type())
 	if err != nil {
 		return Result{}, fmt.Errorf("getting enabled checks: %w", err)
 	}
diff --git a/policy/policy.go b/policy/policy.go
@@ -25,6 +25,8 @@ import (
 
 	"github.com/ossf/scorecard/v5/checker"
 	"github.com/ossf/scorecard/v5/checks"
+	"github.com/ossf/scorecard/v5/clients"
+	docs "github.com/ossf/scorecard/v5/docs/checks"
 	sce "github.com/ossf/scorecard/v5/errors"
 )
 
@@ -143,6 +145,7 @@ func GetEnabled(
 	sp *ScorecardPolicy,
 	argsChecks []string,
 	requiredRequestTypes []checker.RequestType,
+	repoType clients.RepoType,
 ) (checker.CheckNameToFnMap, error) {
 	enabledChecks := checker.CheckNameToFnMap{}
 
@@ -156,6 +159,10 @@ func GetEnabled(
 						fmt.Sprintf("Unsupported RequestType %s by check: %s",
 							fmt.Sprint(requiredRequestTypes), checkName))
 			}
+			if !isSupportedRepoType(checkName, repoType) {
+				log.Printf("skipping check %s: not supported for repo type %s", checkName, repoType)
+				continue
+			}
 			if !enableCheck(checkName, &enabledChecks) {
 				return enabledChecks,
 					sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("invalid check: %s", checkName))
@@ -165,9 +172,9 @@ func GetEnabled(
 		// Populate checks to run with policy file.
 		for checkName := range sp.GetPolicies() {
 			if !isSupportedCheck(checkName, requiredRequestTypes) {
-				// We silently ignore the check, like we do
-				// for the default case when no argsChecks
-				// or policy are present.
+				continue
+			}
+			if !isSupportedRepoType(checkName, repoType) {
 				continue
 			}
 
@@ -182,6 +189,9 @@ func GetEnabled(
 			if !isSupportedCheck(checkName, requiredRequestTypes) {
 				continue
 			}
+			if !isSupportedRepoType(checkName, repoType) {
+				continue
+			}
 			if !enableCheck(checkName, &enabledChecks) {
 				return enabledChecks,
 					sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("invalid check: %s", checkName))
@@ -216,6 +226,33 @@ func isSupportedCheck(checkName string, requiredRequestTypes []checker.RequestTy
 	return len(unsupported) == 0
 }
 
+// isSupportedRepoType checks if a check supports the given repo type
+// based on the repos field in checks.yaml. If the docs cannot be read
+// or the check is not found, it defaults to supported (permissive).
+func isSupportedRepoType(checkName string, repoType clients.RepoType) bool {
+	if repoType == "" {
+		return true
+	}
+
+	d, err := docs.Read()
+	if err != nil {
+		return true
+	}
+
+	checkDoc, err := d.GetCheck(checkName)
+	if err != nil {
+		return true
+	}
+
+	supportedTypes := checkDoc.GetSupportedRepoTypes()
+	for _, t := range supportedTypes {
+		if strings.EqualFold(t, string(repoType)) {
+			return true
+		}
+	}
+	return false
+}
+
 // Enables checks by name.
 func enableCheck(checkName string, enabledChecks *checker.CheckNameToFnMap) bool {
 	if enabledChecks != nil {
diff --git a/policy/policy_test.go b/policy/policy_test.go
@@ -23,6 +23,7 @@ import (
 
 	"github.com/ossf/scorecard/v5/checker"
 	"github.com/ossf/scorecard/v5/checks"
+	"github.com/ossf/scorecard/v5/clients"
 	sce "github.com/ossf/scorecard/v5/errors"
 )
 
@@ -362,7 +363,7 @@ func TestGetEnabled(t *testing.T) {
 				sp = pol
 			}
 
-			enabledChecks, err := GetEnabled(sp, tt.argsChecks, tt.requiredRequestTypes)
+			enabledChecks, err := GetEnabled(sp, tt.argsChecks, tt.requiredRequestTypes, clients.RepoTypeGitHub)
 
 			if len(enabledChecks) != tt.expectedEnabledChecks {
 				t.Errorf("Unexpected number of enabled checks: got %v, want %v", len(enabledChecks), tt.expectedEnabledChecks)

Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,7 @@ func rootCmd(o *options.Options) error {`
`129`	`129`	`// this call to policy is different from the one in scorecard.Run`
`130`	`130`	`// this one is concerned with a policy file, while the scorecard.Run call is`
`131`	`131`	`// more concerned with the supported request types`
`132`		`- enabledChecks, err := policy.GetEnabled(pol, o.Checks(), requiredRequestTypes)`
	`132`	`+ enabledChecks, err := policy.GetEnabled(pol, o.Checks(), requiredRequestTypes, repo.Type())`
`133`	`133`	`if err != nil {`
`134`	`134`	`return fmt.Errorf("GetEnabled: %w", err)`
`135`	`135`	`}`
Original file line number	Diff line number	Diff line change
`@@ -205,7 +205,7 @@ func processRequest(ctx context.Context,`
`205`	`205`	`commitSHA = repoReq.GetCommit()`
`206`	`206`	`requiredRequestType = append(requiredRequestType, checker.CommitBased)`
`207`	`207`	`}`
`208`		`- checksToRun, err := policy.GetEnabled(nil /policy/, nil /checks/, requiredRequestType)`
	`208`	`+ checksToRun, err := policy.GetEnabled(nil /policy/, nil /checks/, requiredRequestType, repo.Type())`
`209`	`209`	`if err != nil {`
`210`	`210`	`return fmt.Errorf("error during policy.GetEnabled: %w", err)`
`211`	`211`	`}`
Original file line number	Diff line number	Diff line change
`@@ -425,7 +425,7 @@ func Run(ctx context.Context, repo clients.Repo, opts ...Option) (Result, error)`
`425`	`425`	`requiredRequestTypes = append(requiredRequestTypes, checker.CommitBased)`
`426`	`426`	`}`
`427`	`427`
`428`		`- checksToRun, err := policy.GetEnabled(nil, c.checks, requiredRequestTypes)`
	`428`	`+ checksToRun, err := policy.GetEnabled(nil, c.checks, requiredRequestTypes, repo.Type())`
`429`	`429`	`if err != nil {`
`430`	`430`	`return Result{}, fmt.Errorf("getting enabled checks: %w", err)`
`431`	`431`	`}`