CLOMonitor is a tool that periodically checks open source projects repositories to verify they meet certain project health best practices.
clomonitor.io lists most of the projects in the CNCF, LF AI & DATA and CDF foundations. If you notice that a project that belongs to any of those foundations is missing or has some incorrect or missing information, please feel free to submit a pull request with your suggested changes. The YAML data files for the registered foundations can be found in this repository, at the /data path. CLOMonitor checks periodically those data files and applies the corresponding changes as needed.
Every project featured on clomonitor.io will be provided with a badge and report summary that is ready for use in your project repos. Simply click the menu dropdown on your project page and copy+paste the code snippet into your markdown as desired. An example can be seen in the image shown above.
CLOMonitor runs sets of checks periodically on all the repositories registered in the database. These checks are run every hour, provided the repository has changed since the last time it was checked. In the case of repositories that don't change often, we make sure that they are checked at least once a day anyway. This way we keep reports up to date with the latest checks additions and improvements.
Checks are organized in check sets
. Each check set
defines a number of checks that will be run on the repository and one or more check sets
can be applied to a single repository. At the moment the following sets are supported: code
, code-lite
, community
and docs
. Please see the checks documentation for more details.
The CLOMonitor's linter can also be run locally or from CI workflows. This can be done by using the container image provided or by building the CLI tool from the source.
CLOMonitor delegates some of the security checks to OpenSSF Scorecard. When building from the source, you'll need to install it before running clomonitor-linter
locally. The container image already includes the scorecard
binary, so if you opt for using it you are ready to go.
Both CLOMonitor and Scorecard use the GitHub GraphQL API for some checks, which requires authentication. A GitHub token (with public_repo
scope) must be provided via the GITHUB_TOKEN
environment variable to authenticate those requests.
You can run the linter CLI tool from Docker by running the following command:
$ export GITHUB_TOKEN=<your token>
$ docker run -it \
--volume $PWD:/repo \
--env GITHUB_TOKEN=$GITHUB_TOKEN \
public.ecr.aws/clomonitor/linter clomonitor-linter \
--path /repo \
--url https://github.com/<org>/<repo>
Note: the command assumes the current working directory is the repo you would like to lint. Please adjust the repo url as needed.
An example of how to integrate CLOMonitor's linter with GitHub Actions can be found in the Artifact Hub repository.
You can also build the CLOMonitor's linter CLI tool from the source by using Cargo, the Rust package manager:
$ cargo install --git https://github.com/cncf/clomonitor clomonitor-linter
$ clomonitor-linter --help
Please see CONTRIBUTING.md for more details.
You can find some general information about how to work on this repo in the architecture and the development environment setup documents.
This project follows the CNCF Code of Conduct.
CLOMonitor is an Open Source project licensed under the Apache License 2.0.