scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

Improve Score Reporting: Token-Permissions on repo without GitHub workflows

Open azeemshaikh38 opened this issue 3 years ago • 0 comments

Token-Permissions check returns 10 on repositories which do not have any GH workflows. We should consider improving our reporting here.

./scorecard --repo=azeemshaikh38/empty-repo-test --format=json --checks=Token-Permissions --show-details | jq .
2022/08/17 01:20:11 unable to get tarball tarball not found: https://api.github.com/repos/azeemshaikh38/empty-repo-test/tarball/. Skipping...
{
  "date": "2022-08-17",
  "repo": {
    "name": "github.com/azeemshaikh38/empty-repo-test",
    "commit": "no commits found"
  },
  "scorecard": {
    "version": "v4.5.0-25-g887facf",
    "commit": "887facf3cad2bd401ff5f6a51725225f8ec28c17"
  },
  "score": 10,
  "checks": [
    {
      "details": null,
      "score": 10,
      "reason": "tokens are read-only in GitHub workflows",
      "name": "Token-Permissions",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/887facf3cad2bd401ff5f6a51725225f8ec28c17/docs/checks.md#token-permissions",
        "short": "Determines if the project's workflows follow the principle of least privilege."
      }
    }
  ],
  "metadata": null
}

azeemshaikh38 avatar Aug 17 '22 01:08 azeemshaikh38