Azeem Shaikh

> Inside checks/evaluation w[here](https://github.com/ossf/scorecard/blob/ff9c0626ef4ebfb924fd46d33bb4fb389d3f3738/checks/evaluation/permissions.go#L68) the logic for the remediation check already is here, there is no way to access any variable (such as the RepoClient) that has access to the...

I found something interesting. We can check for presence of CI-Tests on a merge SHA instead of a PR (i.e check runs that ran on `push` event) - https://api.github.com/repos/androidx/androidx/commits/289583a81c5a84f3ac4b14867f72dbf3021d0aaa/check-runs. Maybe...

> I think the API as well, because both the API and the dashboard use the same underlying data storage. @azeemsgoogle and @rohankh532 are working on scorecard API, so maybe...

The API for metrics.openssf.org most likely will be deprecated, but there might still be an API for `ossf/security-reviews` (see [@scovetta's comment](https://github.com/ossf/scorecard/issues/1507#issuecomment-1018686187))?

@laurentsimon fyi.

Sounds like a good idea to me. Maybe expand the `Signed-Release` check to include this? The updated check could verify various methods which ensure release integrity - GitHub signatures, cosign...

Sure, not tied to the `Signed-Release` name at all. To confirm are you saying that if users sign their release (let's say with cosign), we should complain that it's not...

Thanks for reporting this @godofredoc. I wonder if a Python parser like https://pkg.go.dev/github.com/go-python/[email protected] can be used here? If the code complexity of these `DEPS` files tends to be fairly simple...

> Alternatively we can autogenerate a flattened DEPs file and only check for the pinned dependencies from scorecards using a plain text file with one dependency per line. I presume...

Update from the WG discussion: - Running a Python script in Go might pose security risks. - [gclient](https://www.chromium.org/developers/how-tos/depottools/#gclient) is used by Chromium and also by Flutter + Dart. - 3...