dash icon indicating copy to clipboard operation
dash copied to clipboard
verified publisher icon plotly

[Feature Request] openssf scorecard

Open andy778 opened this issue 1 year ago • 0 comments

Would be good to get added https://securityscorecards.dev/ to better know where next improvements could happen and when evaluating the risk of using a component like this.

`scorecard --repo=https://github.com/plotly/dash Starting [Packaging] Starting [Security-Policy] Starting [Pinned-Dependencies] Starting [Signed-Releases] Starting [Code-Review] Starting [CI-Tests] Starting [CII-Best-Practices] Starting [Token-Permissions] Starting [License] Starting [Maintained] Starting [SAST] Starting [Binary-Artifacts] Starting [Branch-Protection] Starting [Contributors] Starting [Fuzzing] Starting [Vulnerabilities] Starting [Dependency-Update-Tool] Starting [Dangerous-Workflow] Finished [Code-Review] Finished [CI-Tests] Finished [CII-Best-Practices] Finished [Token-Permissions] Finished [Packaging] Finished [Security-Policy] Finished [Pinned-Dependencies] Finished [Signed-Releases] Finished [SAST] Finished [Binary-Artifacts] Finished [License] Finished [Maintained] Finished [Branch-Protection] Finished [Contributors] Finished [Fuzzing] Finished [Vulnerabilities] Finished [Dependency-Update-Tool] Finished [Dangerous-Workflow]

RESULTS

Aggregate score: 5.4 / 10

Check scores: |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

SCORE NAME REASON DOCUMENTATION/REMEDIATION
10 / 10 Binary-Artifacts no binaries found in the repo https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#binary-artifacts
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
8 / 10 Branch-Protection branch protection is not https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#branch-protection
maximal on development and all
release branches
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
10 / 10 CI-Tests 7 out of 7 merged PRs https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#ci-tests
checked by a CI test -- score
normalized to 10
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
0 / 10 CII-Best-Practices no effort to earn an OpenSSF https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#cii-best-practices
best practices badge detected
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
8 / 10 Code-Review found 1 unreviewed changesets https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#code-review
out of 7 -- score normalized
to 8
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
10 / 10 Contributors 25 different organizations https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#contributors
found -- score normalized to
10
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
10 / 10 Dangerous-Workflow no dangerous workflow patterns https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#dangerous-workflow
detected
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
10 / 10 Dependency-Update-Tool update tool detected https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#dependency-update-tool
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
0 / 10 Fuzzing project is not fuzzed https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#fuzzing
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
10 / 10 License license file detected https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#license
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
10 / 10 Maintained 30 commit(s) out of 30 and 1 https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#maintained
issue activity out of 30 found
in the last 90 days -- score
normalized to 10
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
? Packaging no published package detected https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#packaging
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
4 / 10 Pinned-Dependencies dependency not pinned by hash https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#pinned-dependencies
detected -- score normalized
to 4
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
0 / 10 SAST SAST tool is not run on all https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#sast
commits -- score normalized to
0
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
0 / 10 Security-Policy security policy file not https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#security-policy
detected
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
0 / 10 Signed-Releases 0 out of 1 artifacts are https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#signed-releases
signed or have provenance
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
0 / 10 Token-Permissions detected GitHub workflow https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#token-permissions
tokens with excessive
permissions
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
0 / 10 Vulnerabilities 46 existing vulnerabilities https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#vulnerabilities
detected
--------- ------------------------ -------------------------------- -----------------------------------------------------------------------------------------------------------------------
`

andy778 avatar Mar 16 '24 14:03 andy778