laurentsimon

If I'm not mistaken, there are different settings: 1. [create a dependabot.yml config file](https://docs.github.com/en/[email protected]/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-dependabot-version-updates#enabling-dependabot-version-updates) to allow updates for dependencies. 2. [enable the settings](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization), selecting options to enable Dependabot alerts and...

cc @azeemsgoogle @naveensrinivasan

Thanks Oliver. To detect clusterfuzzlite, we need to check for a workflow which uses `google/clusterfuzzlite/actions/run_fuzzers` action, is this correct? Do you expect users to enable it on PRs or push...

> > Thanks Oliver. To detect clusterfuzzlite, we need to check for a workflow which uses `google/clusterfuzzlite/actions/run_fuzzers` action, is this correct? Do you expect users to enable it on PRs...

Awesome. I've created https://github.com/ossf/scorecard/issues/1148 and added to v4 milestone.

@naveensrinivasan is there a special command/keyword we can use to say "this issue should not be closed automatically by the bot"?

I think it fits in this issue. If you know how to check for its use (there's a command for it?) please let us know. Feel free to send. aPR...

We need to look for the `--fuzz` command in the workflow https://go.dev/doc/fuzz/. The assumption is that the command is used directly in the workflow, and not in a script that's...

I think it's fair to start with the regex @azeemshaikh38 provided. The warning is something Go team should fix, rather than us, no? Note that a while back, we were...

@Navidem feel free to ask questions if you need some pointers