✨ Add GitHub git compatibility mode

[spencerschrock]

What kind of change does this PR introduce?

feature

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

All GitHub repo files are fetched using the export archive tarball

What is the new behavior (if this is a feature change)?**

• There is a new git mode for maximum compatibility (which avoids the issue of export-ignore).
  • This is enabled from the CLI with a new --git-mode flag
  • This is enabled programmatically with the WithGitMode() option when running scorecard.Run or creating a GitHub RepoClient, which can be done from Scorecard Action as well. How we expose that to users will be part of a different PR in that repository.

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Related to #2489

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

Added a flag to fetch repository files via Git. This produces the most accurate results for repositories with .gitattributes files at the cost of analysis speed.

[codecov]

Codecov Report

Attention: Patch coverage is 38.69347% with 122 lines in your changes missing coverage. Please review.

Project coverage is 68.21%. Comparing base (353ed60) to head (08a0b7a).
Report is 96 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4474      +/-   ##
==========================================
+ Coverage   66.80%   68.21%   +1.40%     
==========================================
  Files         230      247      +17     
  Lines       16602    18605    +2003     
==========================================
+ Hits        11091    12691    +1600     
- Misses       4808     5072     +264     
- Partials      703      842     +139     

[spencerschrock]

Thoughts on the CLI flag? It's not GitHub specific, and can be added for the GitLab client in a future PR

Flags:
      # ...
      --git-mode           fetch repository files using git for maximum compatibility

go run main.go --repo kokkos/kokkos --checks Dangerous-Workflow --git-mode

And then the Scorecard Action would have a corresponding input:

      - name: "Run analysis"
        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
          publish_results: true
          git_compatibility_mode: true

or it could be a selection of options if we think we'll add a local file option (for a repo you already have cloned for example):

      - name: "Run analysis"
        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
          publish_results: true
          file_mode:  git # one of [archive, git, local]

EDIT: With a similar file mode flag, the CLI would be:

Flags:
      # ...
      --file-mode string   mode to fetch repository files: archive, git (default "archive")

[spencerschrock]

/scdiff generate Binary-Artifacts,Dangerous-Workflow,Dependency-Update-Tool,Fuzzing,License,Packaging,Pinned-Dependencies,SAST,Security-Policy,Token-Permissions,Vulnerabilities

[github-actions]

Here's a link to the scdiff run

[masterleinad]

I like a file_mode option the best for the Scorecard Action and would make git-mode also take a similar argument.