laurentsimon
laurentsimon
Some of the text has new lines automatically inserted and does not look good.
See https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/adding-a-workflow-status-badge The build workflow should be https://github.com/ossf/scorecard-action/blob/main/.github/workflows/docker-sign.yml
The provenance builder contains only an ID field, see https://github.com/in-toto/in-toto-golang/blob/master/in_toto/slsa_provenance/v0.2/provenance.go#L22)](https://github.com/in-toto/in-toto-golang/blob/master/in_toto/slsa_provenance/v0.2/provenance.go#L22 It would be beneficial to add a Version and a Digest field, because the builder itself needs to be identified...
### Code of Conduct - [X] I have read and agree to the GitHub Docs project's [Code of Conduct](https://github.com/github/docs/blob/main/CODE_OF_CONDUCT.md) ### What article on docs.github.com is affected? https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-action-instead-of-an-inline-script-recommended ### What part(s)...
Interesting problem scorecard would not catch: ```yaml github.event.pull_request.labels.*.name ``` See https://github.com/google/GoogleSignIn-iOS/blob/main/.github/workflows/pr_notification.yml#L55-L70
Improvements: 1. the `Packaging` checks only looks for GH packaging workflows. This is not the only way to publish code. We should check for the presence of the package on...
There are several commands https://go.dev/ref/mod that update the go.mod/go.sum and may patch the sum file. We should detect them in the Pinned-Dependencies check.
We already look for npm install, update and install-test. We need support for other commands such as: `npm pkg set`, `npm pkg delete`, `npm exec`, `npx`, `npm run`, `npm set-script`...
Repo: https://github.com/slsa-framework/example-package/tree/main Run: https://github.com/slsa-framework/example-package/actions/runs/3288782237 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml Trigger: schedule Branch: main Date: Thu Oct 20 10:26:44 UTC 2022
Repo: https://github.com/slsa-framework/example-package/tree/v15.0.14 Run: https://github.com/slsa-framework/example-package/actions/runs/3295561860 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.go.tag.branch1.config-ldflags-assets.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.tag.branch1.config-ldflags-assets.slsa3.yml Trigger: push Branch: v15.0.14 Date: Fri Oct 21 07:30:12 UTC 2022