feat: adds custom scorecard certifier

[shreyasHpandya]

Fixes #2783

Description of the PR

See comment #2815 (comment)

PR Checklist

• All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
• All new changes are covered by tests
• If GraphQL schema is changed, make generate has been run
• If GraphQL schema is changed, GraphQL client updates/additions have been made
• If OpenAPI spec is changed, make generate has been run
• If ent schema is changed, make generate has been run
• If collectsub protobuf has been changed, make proto has been run
• All CI checks are passing (tests and formatting)
• All dependent PRs have already been merged

[kusari-inspector]

Kusari Analysis Results:

✅ No Flagged Issues Detected
All values appear to be within acceptable risk parameters.

No pinned version dependency changes, code issues or exposed secrets detected!

Note

View full detailed analysis result for more information on the output and the checks that were run.

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 81bb024, performed at: 2025-11-24T03:05:07Z

Found this helpful? Give it a 👍 or 👎 reaction!

[kusari-inspector]

Issue: Fix nil pointer dereference in defer statement

Recommended Code Changes:

resp, err := httpClient.Do(req)
if err != nil {
    return nil, fmt.Errorf("scorecard request failed: %w", err)
}
defer func() {
    _ = resp.Body.Close()
}()

[kusari-inspector]

Kusari PR Analysis rerun based on - 81bb024 performed at: 2025-11-24T03:05:26Z - link to updated analysis

[gaganhr94]

Scorecard improvements description for better understanding

When querying the Scorecard API with a specific commitSHA that returns 404,
retry the request without the commit parameter to get the latest scorecard
for the default branch.

Design Decisions:

• API-First with Retry: If a commit-specific query fails, retry without
  commitSHA rather than immediately falling back to local computation.
  This maximizes API usage (faster, no auth required).

• Silent Fallback for Missing Commits: When the requested commit isn't in
  the API, we return the latest scorecard instead. This is a conscious
  decision because:

  • Scorecard's purpose is to assess current repository health and
    maintenance practices, not point-in-time snapshots
  • A recent scorecard provides more value than no scorecard for trust
    decisions
  • Many checks (branch protection, security policy) are repository-wide
    and don't vary between commits

• Tag Without CommitSHA Skips API: When a tag is provided without a
  commitSHA, skip the API entirely and use local computation, which can
  resolve tags to commits via ListReleases().

• HEAD Treated as Empty: Upstream GUAC code sets commitSHA to "HEAD" when
  no specific commit is known, so we treat "HEAD" the same as empty.

[gaganhr94]

Hi @mihaimaruseac @pxp928, can you please review this PR when you get a chance. Thanks !

[mihaimaruseac]

The file should end with a newline

[gaganhr94]

Done

[mihaimaruseac]

This comment doesn't seem useful.

It looks like you used AI to generate the PR, but did not clean the output.

[gaganhr94]

Previously, a GitHub token was required for Scorecard to start. After this change, startup no longer depends on the token, so just logs a warning. Added these comments intentionally to make that behaviour change explicit and improve transparency for future readers. If there’s a clearer way to convey this, I’m happy to adjust the wording.

[mihaimaruseac]

ctx is still unused... Did you try to compile the code? The compiler would have given you an error.

[gaganhr94]

Yes. Did compile the code and test out the scorecard certifier. Since ctx was a function parameter here, it did not give any issues during compile-time.

Will revert back to _ since we are not using ctx in the function