Option to switch from https://deps.dev/ to https://api.securityscorecards.dev/

[rajbos]

My scores live at api.securityscorecards.dev (for example: link) and not at https://deps.dev, since that is where I push the data to (as indicated by the OSSF scorecard action).

I'd be happy to help add that config if you want.

[UlisesGascon]

This is a tricky request. I assume that most users expect to see results in a UI format with deps.dev, but sometimes the results do not appear correctly.

For example, https://deps.dev/project/github/onebeyond%2Fsystemic-knex should work, but as the repository was migrated from another organization, it seems that the change was not properly reflected. However, the API is working fine at https://api.securityscorecards.dev/projects/github.com/onebeyond/systemic-knex. I believe this is a bug.

I would appreciate feedback on the differences between api.securityscorecards.dev and https://deps.dev/ before we proceed (cc: @gabibguti @naveensrinivasan).

I see two possible solutions from this discussion:

1. We can add another column with the API link if an optional tag is available, such as include-api-links=true.
2. We can replace the content in the report column if the optional tag is available, such as use-api-links=true.

Side note: I think having too many columns at the end will look bad (markdown table), so we may need to find another way to control the columns to show (but this will require thorough testing).

[naveensrinivasan]

My scores live at api.securityscorecards.dev (for example: link) and not at https://deps.dev, since that is where I push the data to (as indicated by the OSSF scorecard action).

I'd be happy to help add that config if you want.

deps.dev is a consumer of OpenSSF Scorecard data, and it is not part of the OpenSSF scorecard

[rajbos]

I know, but since I push my data to OpenSSF, I see no data in deps.dev for my repos?

[UlisesGascon]

Now it is more clear for me. Thanks @rajbos!

So... I am thinking that maybe we can add another column with the API link if an optional tag is available, such as include-ossf-api-links=true and disable the report column optionally by using include-deps-dev-links=false.

I believe this will cover the new use case and it is not a breaking change to any current user. What do you think @rajbos?

I know, but since I push my data to OpenSSF, I see no data in deps.dev for my repos?

I believe this is more related on how the data is consumed and sync in deps.dev, maybe you can crate an issue in their project or ask support 🤔

[KoolTheba]

I'll implement the optional tags as described at #44 (comment)

[rajbos]

I was thinking to use this action against an internal GitHub Enterprise Server (GHES) and then we will host the api.securityscorecards.dev somewhere internally on a Docker setup (already have that running). Can we please make the url configurable, instead of a boolean?

[UlisesGascon]

I was thinking to use this action against an internal GitHub Enterprise Server (GHES) and then we will host the api.securityscorecards.dev somewhere internally on a Docker setup (already have that running). Can we please make the url configurable, instead of a boolean?

@rajbos I moved the discussion to #52, as I think that it can be considered as a separated feature 😉