laurentsimon
laurentsimon
Hey, we've been thinking of creating a config file as well. Thanks for the link, I was not aware of CLOMonitor. Is it a CNCF project?
I've started the process by clicking "get a badge". Waiting for OSSF to accept the OAuth request.
I indeed got a list of repos, but `ossf/scorecard` does not show up. I think it's because the OAuth does not have the scope to read it, I see "Access...
Sounds like this should work! deps.dev is a single API that works for all packages, so +1 from me to use it instead of registry APIs if we can.
@inferno-chromium @oliverchang @naveensrinivasan Any comments on these checks? FYI @rsprabery
> c/f #132 > > Version 1.0.0 required a fix after a Rekor change, and this backported fix needs to be added to older releases. > > In order to...
Ho I see, you meant `PATCH` in each old release: yes I think that's a fair assumption. We don't have a good story around *how* we reach out to users...
we could start with simple heuristics: e.g. could count number of go files that have a corresponding `_test.go`. Or look at other solution, like codecov.
Thanks for the issue. > **Why is this needed**: > > To prevent [Binary-Artifacts false positives](https://github.com/ossf/scorecard/issues/1256). Can you provide a repo example where you're observing too many false positives? >...
We currently do not, but we should revive https://github.com/ossf/scorecard/pull/1487 and improve the SAST check to include it. The PR is too API intensive, and we need to solve this problem...