Azeem Shaikh
We do terribly on Signed-Releases and Packaging checks for ecosystems and projects which do not release on GitHub or using GitHub actions. Some ideas to improve here: - Look for...
Is looking for the presence of a config enough of an evidence to rate a repository at 10? Should we maybe tighten this check a bit more and make sure...
In ecosystems like Python and NPM, Pinned-Dependency check can give a score of 10, but their manifest files (`requirements.txt` and `package.json`) may actually contain unpinned dependencies. Let's improve our reporting...
There have been multiple reports by users in the past that Binary-Artifact reports false positives and is noisy. Need to fix this behavior.
We only query the OSV database for vulns on a commitSHA so we are extremely limited on the vulns we can report through Scorecard. There is a high possibility that...
Branch-Protection fails with `-1` for multiple reasons: - lookup of a branch name that no more exists on the repository - unable to locate the branch even though it existed...
Maintained check only looks for activity within the last 90 days which might be too short of a time frame for stable projects and we unfairly penalize them. Let's increase...
License check should include the following file names: GPL-2.0, LICENSE, LICENCE, LICENSE.txt, LICENSE.rst, LICENSE.PSF, LICENSE.APACHE, LICENSE.BSD, LICENSE.md, LICENSE-MIT.
`Token-Permissions` check returns `10` on repositories which do not have any GH workflows. We should consider improving our reporting here. ``` ./scorecard --repo=azeemshaikh38/empty-repo-test --format=json --checks=Token-Permissions --show-details | jq . 2022/08/17...
Running Scorecard on an empty repository (no commits) returns results which do not make sense: ``` ./scorecard --repo=azeemshaikh38/empty-repo-test --format=json | jq . 2022/08/17 01:00:47 unable to get tarball tarball not...