laurentsimon
laurentsimon
Steps: 1. Dependabot publishes a change. 2. Maintainer edits that change to do whatever they want 3. Maintainer approves it 4. Maintainer merges it. Let's try to verify that the...
Add support for cloud yaml for dependency pinning, see example https://github.com/ossf/allstar/blob/main/cloudbuild.yaml#L4
Workflows can define container images using the `image` field. We may check whether it's pinned. See https://github.com/sethvargo/ratchet
`If there is no support for token authentication, consider implementing it by following [these directions](https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks).` is mis-leading because users do not control the authentication support: the webhook service is often...
Certain maintainers disagree or are unable to satisfy certain Scorecard checks. It would be useful to provide a way for them to explain their reasoning, if they want. We can...
Let's have e2e tests to catch https://github.com/ossf/scorecard/issues/1891 /cc @naveensrinivasan
There are several examples of github token leaks via `pull_request_target` event. It'd be nice to check for it - possibly filtering out known acceptable github actions that use it after...
We don't have e2e tests for json and sarif output. /cc @azeemsgoogle @naveensrinivasan
@evverx can you describe the repo you tried it on? I'm wondering whether it's still useful to report inactive web hook: if it's inactive, should users remove it?
I was pulling some images and found that https://github.com/ossf/scorecard/blob/main/Dockerfile#L15, for example, was built in 08-2021, and the latest image is from 2022-04 I stumbled upon this by chance because the...