scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

Improve Score Reporting: Deps-Update-Tool should check for tool activity

Open azeemshaikh38 opened this issue 3 years ago • 4 comments

Is looking for the presence of a config enough of an evidence to rate a repository at 10? Should we maybe tighten this check a bit more and make sure that there have been recent commits by these tools?

azeemshaikh38 avatar Aug 17 '22 01:08 azeemshaikh38

I think we used to have a tracking issue for this - I can't find it so maybe not :) One reason we postponed implementation was because it's not clear how often a PR could be expected to be merged. This depends on repo activity, for example. Since scorecard checks for 30 commits, there is a risk that the results would oscillate between different scores, depending on whether we find a PR or not.

laurentsimon avatar Aug 22 '22 14:08 laurentsimon

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Apr 30 '24 01:04 github-actions[bot]

Consider how this interacts with bug report in https://github.com/ossf/scorecard/issues/2845

justaugustus avatar May 16 '24 20:05 justaugustus