laurentsimon

do you think SLSA provenance is something that could address this problem?

I'm fine with all the above.

@oliverchang can you comment on this?

/cc @raghavkaul

Some of these checks were taken out because they are API intensive so rate limiting can be a bottleneck. @azeemsgoogle any plan to add these checks?

We could add an extra column "Run in weekly scan" in the https://github.com/ossf/scorecard#scorecard-checks. @Parth59 interested in sending a quick PR for it?

@edwardsph is the setup using a config file committed to a repository? Do you use https://github.com/SonarSource/sonarqube-scan-action? The only way scorecard can detect it is if _something_ is visible in the...

Yes, this should help. Can you link to an example of POM file you use? Looks like https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-maven/: ``` http://myserver:9000 ``` Correct? What is the name of the file: pom.yml...

I've send https://github.com/ossf/scorecard/pull/2114

Was it before or after https://github.com/ossf/scorecard/pull/1879 was merged? @jeffmendoza reported improvements after this PR and may have some ideas about noise / FP still left