scorecard
scorecard copied to clipboard
ossf
OpenSSF Scorecard - Security health metrics for Open Source
Add support for cloud yaml for dependency pinning, see example https://github.com/ossf/allstar/blob/main/cloudbuild.yaml#L4
Workflows can define container images using the `image` field. We may check whether it's pinned. See https://github.com/sethvargo/ratchet
`If there is no support for token authentication, consider implementing it by following [these directions](https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks).` is mis-leading because users do not control the authentication support: the webhook service is often...
**Describe the bug** A `Dependency-Update-Tool` alert contains a link to https://dependabot.com/docs/config-file/ which now redirects to https://github.com/docs/config-file/ which is 404. **Expected behavior** Perhaps a link to https://github.com/dependabot would be appropriate though...
Certain maintainers disagree or are unable to satisfy certain Scorecard checks. It would be useful to provide a way for them to explain their reasoning, if they want. We can...
`Dependency-Update-Tool ` checks if a project uses Dependabot or Renovate bot. Although these tools support many languages and ecosystems, there are cases they don't support, for example, C/C++ projects. For...
Let's have e2e tests to catch https://github.com/ossf/scorecard/issues/1891 /cc @naveensrinivasan
There are several examples of github token leaks via `pull_request_target` event. It'd be nice to check for it - possibly filtering out known acceptable github actions that use it after...
**Is your feature request related to a problem? Please describe.** Use renovate bot for GitHub actions instead of Dependabot because it adds the comment on pinned SHA for actions. Also,...
We don't have e2e tests for json and sarif output. /cc @azeemsgoogle @naveensrinivasan