You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would be nice to add Scorecard analysis to this repo as a GitHub Actions workflow to compute the security score. Scorecard runs various simple checks, e.g., whether Branch-Protection and Security-Policy exist in the repo, and computes a score of 0-1.
Here is the result that I get by locally running Scorecard:
RESULTS
-------
Finished [Binary-Artifacts]
Finished [Maintained]
Finished [Packaging]
Finished [CI-Tests]
Finished [Pinned-Dependencies]
Finished [Signed-Releases]
Finished [Vulnerabilities]
Finished [Branch-Protection]
Finished [Contributors]
Finished [Fuzzing]
Finished [Token-Permissions]
Finished [Security-Policy]
Finished [CII-Best-Practices]
Finished [Code-Review]
Finished [Dependency-Update-Tool]
Finished [SAST]
Aggregate score: 4.5 / 10
Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10 | Branch-Protection | branch protection is not | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#branch-protection |
| | | maximal on development and all | |
| | | release branches | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests | 14 out of 14 merged PRs | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#ci-tests |
| | | checked by a CI test -- score | |
| | | normalized to 10 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no badge found | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#cii-best-practices |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | Code-Review | GitHub code reviews found for | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#code-review |
| | | 13 commits out of the last 14 | |
| | | -- score normalized to 9 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Contributors | 0 different companies found -- | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#contributors |
| | | score normalized to 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed in | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#fuzzing |
| | | OSS-Fuzz | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 6 / 10 | Maintained | 8 commit(s) found in the last | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#maintained |
| | | 90 days -- score normalized to | |
| | | 6 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | no published package detected | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#packaging |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 5 / 10 | Pinned-Dependencies | dependency not pinned by hash | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | |
| | | to 5 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | SAST tool is not run on all | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#sast |
| | | commits -- score normalized to | |
| | | 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#security-policy |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Signed-Releases | 0 out of 2 artifacts are | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#signed-releases |
| | | signed -- score normalized to | |
| | | 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | non read-only tokens detected | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#token-permissions |
| | | in GitHub workflows | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | no vulnerabilities detected | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#vulnerabilities |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
The text was updated successfully, but these errors were encountered:
I’m in full support of this, and it looks like they provide the Github Action also. Looks like some of the scores become only relevant once users begin to build out this cookiecutter, though?
It would be nice to add Scorecard analysis to this repo as a GitHub Actions workflow to compute the security score. Scorecard runs various simple checks, e.g., whether
Branch-Protection
andSecurity-Policy
exist in the repo, and computes a score of 0-1.Here is the result that I get by locally running Scorecard:
The text was updated successfully, but these errors were encountered: