scorecard
scorecard copied to clipboard
ossf
OpenSSF Scorecard - Security health metrics for Open Source
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 2.5.0 to 2.5.1. Release notes Sourced from sigstore/cosign-installer's releases. v2.5.1 What's Changed Bump actions/setup-go from 3.0.0 to 3.2.1 by @dependabot in sigstore/cosign-installer#87 update default cosign version to...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
#### What kind of change does this PR introduce? 1. Add support for C++ built-in fuzz functions check as a part of scorecard's fuzzing check. 2. Add corresponding unit tests...
Let's start collecting and tagging issues with the v5 milestone. - badges - raw results (beta release)
We do terribly on Signed-Releases and Packaging checks for ecosystems and projects which do not release on GitHub or using GitHub actions. Some ideas to improve here: - Look for...
Is looking for the presence of a config enough of an evidence to rate a repository at 10? Should we maybe tighten this check a bit more and make sure...
In ecosystems like Python and NPM, Pinned-Dependency check can give a score of 10, but their manifest files (`requirements.txt` and `package.json`) may actually contain unpinned dependencies. Let's improve our reporting...
There have been multiple reports by users in the past that Binary-Artifact reports false positives and is noisy. Need to fix this behavior.
We only query the OSV database for vulns on a commitSHA so we are extremely limited on the vulns we can report through Scorecard. There is a high possibility that...
Branch-Protection fails with `-1` for multiple reasons: - lookup of a branch name that no more exists on the repository - unable to locate the branch even though it existed...
Maintained check only looks for activity within the last 90 days which might be too short of a time frame for stable projects and we unfairly penalize them. Let's increase...