ossf
Calculate risk based on score of the check
Is your feature request related to a problem? Please describe. In the future the Token-Permissions check will give different scores depending on how well the best practices has been followed. But even if one gets a score of 9, they will still get a High risk issue in the SARIF file. This score then gets shown in the Code scanning alerts dashboard when the Scorecards GitHub action is used in a repository.
Describe the solution you'd like The risk of the issue that is emitted in the SARIF file should be based on the score of the check. If the score is high, the risk should be lower.
Describe alternatives you've considered An alternative could be for each repository owner to have a policy file to set threshold of risk.
Additional context This is related to discussion at https://github.com/ossf/scorecard/issues/1128
This is also relevant for the GitHub workflow dependency pinning: we give 10 points if all actions are pinned by hash, and 8 if the GitHub-owned actions are not.
This issue is stale because it has been open for 60 days with no activity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}