tally
tally copied to clipboard
jetstack
Currently you need to specify the format of your BOM explicitly. We should try to detect the BOM type automagically by default.
Some repositories house very simple libraries that have a low scorecard scores because they are not updated regularly (because they don't need to be) or otherwise score low despite being...
I'm more familiar with CycloneDX and syft-json but SPDX is very popular and tally should definitely support it.
Add the option to store results in a remote, shared location somewhere. The goal here is to create a dataset that only contains scores for your software and your dependencies....
We should run https://github.com/ossf/scorecard-action on this repository and then do the work required to get our score as high as possible!
Maybe we could support adding the scores back into the BOM as a property (where the BOM format supports such a thing). Perhaps it could be an output option with...