laurentsimon
laurentsimon
thoughts on rate limiting https://docs.github.com/en/rest/overview/resources-in-the-rest-api#requests-from-github-actions ``` When using GITHUB_TOKEN, the rate limit is 1,000 requests per hour per repository. For requests to resources that belong to an enterprise account on...
> > For cron job, highly unlikely we'll ever be able to run SAST check if we apply the changes proposed here. > > FWIW Looking at https://metrics.openssf.org/grafana/d/default/metric-dashboard?orgId=1&var-PackageURL=pkg%3Agithub/systemd/systemd it seems...
Thanks for the info @evverx Sorry, this PR has been on the back burner for a while :/ re: search API in repoClient @azeemshaikh38 do we need this API at...
Also, I need to replace some of the fields with pointers
This work works well on branch protection because each result is "named", but not well for other checks like token-permissions or pinning. What's the plan for the others?
> IMO some checks like `Branch-Protection`, `Token-Permissions` shouldn't be exposed at all through this policy. do you mean `Dependency-Pinning` or `Branch-Protection`? (I'm asking because @raghavkaul 's initial description is heavy...
@oliverchang @navidem @metzman can you take a look?
Keep this PR active.
The check does not look for `requirements.txt` and `package.json`. The check looks for commands that don't treat these files as read-only and / or don't fail if there are unpinned...
> Today we get dependencies through [checks/raw/shell_download_validate_test.go](https://github.com/ossf/scorecard/blob/main/checks/raw/shell_download_validate_test.go). I think the issue arises if a library doesn't have build steps that point to a deps file (either through lack of build...