ossf · jeffmendoza · Apr 8, 2026 · Apr 3, 2026 · Apr 7, 2026 · Apr 7, 2026
@@ -100,6 +100,11 @@
 	return r.metadata
 }
 
+// Type implements Repo.Type.
+func (r *Repo) Type() clients.RepoType {
+	return clients.RepoTypeAzureDevOps
+}
+
 // Path() implements RepoClient.Path.
 func (r *Repo) Path() string {
 	return fmt.Sprintf("%s/%s/%s/%s", r.organization, r.project, "_git", r.name)

@@ -112,6 +112,11 @@ func (r *Repo) Metadata() []string {
 	return r.metadata
 }
 
+// Type implements Repo.Type.
+func (r *Repo) Type() clients.RepoType {
+	return clients.RepoTypeGitHub
+}
+
 func (r *Repo) commitExpression() string {
 	if strings.EqualFold(r.commitSHA, clients.HeadSHA) {
 		// TODO(#575): Confirm that this works as expected.

@@ -166,6 +166,11 @@
 	return r.metadata
 }
 
+// Type implements Repo.Type.
+func (r *Repo) Type() clients.RepoType {
+	return clients.RepoTypeGitLab
+}
+
 // Path() implements RepoClient.Path.
 func (r *Repo) Path() string {
 	return fmt.Sprintf("%s/%s", r.owner, r.project)

@@ -69,6 +69,11 @@
 	r.metadata = append(r.metadata, m...)
 }
 
+// Type implements Repo.Type.
+func (r *Repo) Type() clients.RepoType {
+	return clients.RepoTypeLocal
+}
+
 // Path() implements RepoClient.Path.
 func (r *Repo) Path() string {
 	return r.path

@@ -14,6 +14,20 @@
 
 package clients
 
+// RepoType identifies the hosting platform of a repository.
+type RepoType string
+
+const (
+	// RepoTypeGitHub represents a GitHub-hosted repository.
+	RepoTypeGitHub RepoType = "GitHub"
+	// RepoTypeGitLab represents a GitLab-hosted repository.
+	RepoTypeGitLab RepoType = "GitLab"
+	// RepoTypeAzureDevOps represents an Azure DevOps-hosted repository.
+	RepoTypeAzureDevOps RepoType = "Azure DevOps"
+	// RepoTypeLocal represents a local directory.
+	RepoTypeLocal RepoType = "local"
+)
+
 // Repo interface uniquely identifies a repo.
 type Repo interface {
 	// Path returns the specifier of the repository within its forge
@@ -29,4 +43,6 @@ type Repo interface {
 	IsValid() error
 	Metadata() []string
 	AppendMetadata(metadata ...string)
+	// Type returns the hosting platform type.
+	Type() RepoType
 }
@@ -160,7 +160,7 @@
 	// this call to policy is different from the one in scorecard.Run
 	// this one is concerned with a policy file, while the scorecard.Run call is
 	// more concerned with the supported request types
-	enabledChecks, err := policy.GetEnabled(pol, o.Checks(), requiredRequestTypes)
+	enabledChecks, err := policy.GetEnabled(pol, o.Checks(), requiredRequestTypes, "")
 	if err != nil {
 		return fmt.Errorf("GetEnabled: %w", err)
 	}

@@ -154,7 +154,7 @@
 	if !strings.EqualFold(opts.Commit, clients.HeadSHA) {
 		requiredRequestTypes = append(requiredRequestTypes, checker.CommitBased)
 	}
-	enabledChecks, err := policy.GetEnabled(nil, opts.Checks(), requiredRequestTypes)
+	enabledChecks, err := policy.GetEnabled(nil, opts.Checks(), requiredRequestTypes, repo.Type())
 	if err != nil {
 		http.Error(w, fmt.Sprintf("GetEnabled: %v", err), http.StatusInternalServerError)
 		return

@@ -211,7 +211,7 @@ func processRequest(ctx context.Context,
 			commitSHA = repoReq.GetCommit()
 			requiredRequestType = append(requiredRequestType, checker.CommitBased)
 		}
-		checksToRun, err := policy.GetEnabled(nil /*policy*/, nil /*checks*/, requiredRequestType)
+		checksToRun, err := policy.GetEnabled(nil /*policy*/, nil /*checks*/, requiredRequestType, repo.Type())
 		if err != nil {
 			return fmt.Errorf("error during policy.GetEnabled: %w", err)
 		}

diff --git a/docs/checks/impl.go b/docs/checks/impl.go
@@ -19,6 +19,7 @@ import (
 	"errors"
 	"fmt"
 	"strings"
+	"sync"
 
 	"github.com/ossf/scorecard/v5/docs/checks/internal"
 	sce "github.com/ossf/scorecard/v5/errors"
@@ -28,6 +29,12 @@ var errCheckNotExist = errors.New("check does not exist")
 
 const docURL = "https://github.com/ossf/scorecard/blob/%s/docs/checks.md"
 
+var (
+	readOnce      sync.Once
+	errCachedRead error
+	cachedDoc     Doc
+)
+
 // DocImpl implements `Doc` interface and
 // contains checks' documentation.
 //
@@ -37,15 +44,18 @@ type DocImpl struct {
 }
 
 // Read loads the checks' documentation.
+// The embedded YAML is parsed once and cached for subsequent calls.
 func Read() (Doc, error) {
-	m, e := internal.ReadDoc()
-	if e != nil {
-		d := DocImpl{}
-		return &d, fmt.Errorf("internal.ReadDoc: %w", e)
-	}
-
-	d := DocImpl{internaldoc: m}
-	return &d, nil
+	readOnce.Do(func() {
+		m, e := internal.ReadDoc()
+		if e != nil {
+			cachedDoc = &DocImpl{}
+			errCachedRead = fmt.Errorf("internal.ReadDoc: %w", e)
+			return
+		}
+		cachedDoc = &DocImpl{internaldoc: m}
+	})
+	return cachedDoc, errCachedRead
 }
 
 // GetCheck returns the information for check `name`.

diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml
@@ -51,7 +51,7 @@ checks:
   Dependency-Update-Tool:
     risk: High
     tags: supply-chain, security, dependencies
-    repos: GitHub, local
+    repos: GitHub, Azure DevOps, local
     short: Determines if the project uses a dependency update tool.
     description: |
       Risk: `High` (possibly vulnerable to attacks on known flaws)
@@ -89,7 +89,7 @@ checks:
   Binary-Artifacts:
     risk: High
     tags: supply-chain, security, dependencies
-    repos: GitHub, GitLab, local
+    repos: GitHub, GitLab, Azure DevOps, local
     short: Determines if the project has generated executable (binary) artifacts in the source repository.
     description: |
       Risk: `High` (non-reviewable code)
@@ -140,7 +140,7 @@ checks:
   Branch-Protection:
     risk: High
     tags: supply-chain, security, source-code, code-reviews
-    repos: GitHub, GitLab
+    repos: GitHub, GitLab, Azure DevOps
     short: Determines if the default and release branches are protected with GitHub's branch protection settings.
     description: |
       Risk: `High` (vulnerable to intentional malicious code injection)
@@ -226,7 +226,7 @@ checks:
   CI-Tests:
     risk: Low
     tags: supply-chain, testing
-    repos: GitHub, GitLab
+    repos: GitHub, GitLab, Azure DevOps
     short: Determines if the project runs tests before pull requests are merged.
     description: |
       Risk: `Low` (possible unknown vulnerabilities)
@@ -286,7 +286,7 @@ checks:
   Code-Review:
     risk: High
     tags: supply-chain, security, source-code, code-reviews
-    repos: GitHub
+    repos: GitHub, Azure DevOps
     short: Determines if the project requires human code review before pull requests (aka merge requests) are merged.
     description: |
       Risk: `High` (unintentional vulnerabilities or possible injection of malicious
@@ -359,7 +359,7 @@ checks:
   Contributors:
     risk: Low
     tags: source-code
-    repos: GitHub
+    repos: GitHub, Azure DevOps
     short: Determines if the project has a set of contributors from multiple organizations (e.g., companies).
     description: |
       Risk: `Low` (lower number of trusted code reviewers)
@@ -466,7 +466,7 @@ checks:
   Pinned-Dependencies:
     risk: Medium
     tags: supply-chain, security, dependencies
-    repos: GitHub, local
+    repos: GitHub, Azure DevOps, local
     short: Determines if the project has declared and pinned the dependencies of its build process.
     description: |
       Risk: `Medium` (possible compromised dependencies)
@@ -532,7 +532,7 @@ checks:
   SAST:
     risk: Medium
     tags: supply-chain, security, testing
-    repos: GitHub
+    repos: GitHub, Azure DevOps
     short: Determines if the project uses static code analysis.
     description: |
       Risk: `Medium` (possible unknown bugs)
@@ -603,7 +603,7 @@ checks:
   Security-Policy:
     risk: Medium
     short: Determines if the project has published a security policy.
-    repos: GitHub
+    repos: GitHub, Azure DevOps
     tags: supply-chain, security, policy
     description: |
       Risk: `Medium` (possible insecure reporting of vulnerabilities)
@@ -746,7 +746,7 @@ checks:
   Vulnerabilities:
     risk: High
     tags: supply-chain, security, vulnerabilities
-    repos: GitHub
+    repos: GitHub, Azure DevOps
     short: Determines if the project has open, known unfixed vulnerabilities.
     description: |
       Risk: `High`  (known vulnerabilities)
@@ -810,7 +810,7 @@ checks:
   License:
     risk: Low
     tags: license
-    repos: GitHub, local
+    repos: GitHub, Azure DevOps, local
     short: Determines if the project has defined a license.
     description: |
       Risk: `Low` (possible impediment to security review)

@@ -425,7 +425,7 @@ func Run(ctx context.Context, repo clients.Repo, opts ...Option) (Result, error)
 		requiredRequestTypes = append(requiredRequestTypes, checker.CommitBased)
 	}
 
-	checksToRun, err := policy.GetEnabled(nil, c.checks, requiredRequestTypes)
+	checksToRun, err := policy.GetEnabled(nil, c.checks, requiredRequestTypes, repo.Type())
 	if err != nil {
 		return Result{}, fmt.Errorf("getting enabled checks: %w", err)
 	}

@@ -166,6 +166,7 @@ func TestRun(t *testing.T) {
 			repo := mockrepo.NewMockRepo(ctrl)
 
 			repo.EXPECT().URI().Return(tt.args.uri).AnyTimes()
+			repo.EXPECT().Type().Return(clients.RepoTypeGitHub).AnyTimes()
 
 			mockRepoClient.EXPECT().InitRepo(repo, tt.args.commitSHA, 0).Return(nil)
 
@@ -281,6 +282,7 @@ func TestRun_WithProbes(t *testing.T) {
 
 			repo.EXPECT().URI().Return(tt.args.uri).AnyTimes()
 			repo.EXPECT().Host().Return("github.com").AnyTimes()
+			repo.EXPECT().Type().Return(clients.RepoTypeGitHub).AnyTimes()
 
 			mockRepoClient.EXPECT().InitRepo(repo, tt.args.commitSHA, 0).Return(nil)
 			mockRepoClient.EXPECT().URI().Return(repo.URI()).AnyTimes()

@@ -25,6 +25,8 @@
 
 	"github.com/ossf/scorecard/v5/checker"
 	"github.com/ossf/scorecard/v5/checks"
+	"github.com/ossf/scorecard/v5/clients"
+	docs "github.com/ossf/scorecard/v5/docs/checks"
 	sce "github.com/ossf/scorecard/v5/errors"
 )
 
@@ -143,9 +145,21 @@
 	sp *ScorecardPolicy,
 	argsChecks []string,
 	requiredRequestTypes []checker.RequestType,
+	repoType clients.RepoType,
 ) (checker.CheckNameToFnMap, error) {
 	enabledChecks := checker.CheckNameToFnMap{}
 
+	// Build a case-insensitive repo-type lookup map once, only when needed.
+	var repoTypeLookup map[string][]string
+	if repoType != "" {
+		if d, err := docs.Read(); err == nil {
+			repoTypeLookup = make(map[string][]string)
+			for _, c := range d.GetChecks() {
+				repoTypeLookup[strings.ToLower(c.GetName())] = c.GetSupportedRepoTypes()
+			}
+		}
+	}
+
 	switch {
 	case len(argsChecks) != 0:
 		// Populate checks to run with the `--repo` CLI argument.
@@ -156,6 +170,9 @@
 						fmt.Sprintf("Unsupported RequestType %s by check: %s",
 							fmt.Sprint(requiredRequestTypes), checkName))
 			}
+			if !isSupportedRepoType(repoTypeLookup, checkName, repoType) {
+				continue
+			}
 			if !enableCheck(checkName, &enabledChecks) {
 				return enabledChecks,
 					sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("invalid check: %s", checkName))
@@ -165,9 +182,9 @@
 		// Populate checks to run with policy file.
 		for checkName := range sp.GetPolicies() {
 			if !isSupportedCheck(checkName, requiredRequestTypes) {
-				// We silently ignore the check, like we do
-				// for the default case when no argsChecks
-				// or policy are present.
+				continue
+			}
+			if !isSupportedRepoType(repoTypeLookup, checkName, repoType) {
 				continue
 			}
 
@@ -182,6 +199,9 @@
 			if !isSupportedCheck(checkName, requiredRequestTypes) {
 				continue
 			}
+			if !isSupportedRepoType(repoTypeLookup, checkName, repoType) {
+				continue
+			}
 			if !enableCheck(checkName, &enabledChecks) {
 				return enabledChecks,
 					sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("invalid check: %s", checkName))
@@ -216,6 +236,27 @@
 	return len(unsupported) == 0
 }
 
+// isSupportedRepoType checks if a check supports the given repo type
+// using a pre-built lookup map. If the map is nil (docs unavailable or
+// repoType empty) or the check is not found, it defaults to supported.
+func isSupportedRepoType(repoTypeLookup map[string][]string, checkName string, repoType clients.RepoType) bool {
+	if repoTypeLookup == nil {
+		return true
+	}
+
+	supportedTypes, exists := repoTypeLookup[strings.ToLower(checkName)]
+	if !exists {
+		return true
+	}
+
+	for _, t := range supportedTypes {
+		if strings.EqualFold(t, string(repoType)) {
+			return true
+		}
+	}
+	return false
+}
+
 // Enables checks by name.
 func enableCheck(checkName string, enabledChecks *checker.CheckNameToFnMap) bool {
 	if enabledChecks != nil {