Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for OpenSSF Scorecard Score #7159

Open
1 task
ivankatliarchuk opened this issue Aug 14, 2024 · 1 comment · May be fixed by #7160
Open
1 task

Add support for OpenSSF Scorecard Score #7159

ivankatliarchuk opened this issue Aug 14, 2024 · 1 comment · May be fixed by #7160
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@ivankatliarchuk
Copy link

ivankatliarchuk commented Aug 14, 2024
edited
Loading

What would you like to be added:

Example helm helm/helm#13243

Example coredns https://github.com/coredns/coredns/blob/master/.github/workflows/scorecards.yml

OpenSSFF Scorecard https://scorecard.dev/viewer/?uri=github.com/kubernetes/autoscaler

Add github action https://github.com/ossf/scorecard-action

Maintainters need to add PAT token https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md

Why is this needed:

This project is a collaborative effort between the CNCF and Google's Open Source Security Team to improve security practices across various CNCF projects. The focus is identifying and addressing security vulnerabilities, integrating security tools like OSS-Fuzz, and enhancing build and release security processes. The goal is to get all CNCF projects to use scorecards (focusing on graduated/incubating projects first) and to remediate some of the findings.

Tasks
Beta Give feedback

Scorecards
@ivankatliarchuk ivankatliarchuk added the kind/feature Categorizes issue or PR as related to a new feature. label Aug 14, 2024
@ivankatliarchuk
Copy link
Author

ivankatliarchuk commented Aug 14, 2024
edited
Loading

current result docker run -e GITHUB_AUTH_TOKEN=$TOKEN gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/kubernetes/autoscaler

Aggregate score: 6.7 / 10

Check scores:
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                                      DETAILS                                                      |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo  | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#binary-artifacts   |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10  | Branch-Protection      | branch protection is not       | Info: 'allow deletion' disabled                                                                                   | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all | on branch 'master' Info: 'allow                                                                                   |                                                                                                                       |
|         |                        | release branches               | deletion' disabled on branch                                                                                      |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.30'                                                                                 |                                                                                                                       |
|         |                        |                                | Info: 'allow deletion'                                                                                            |                                                                                                                       |
|         |                        |                                | disabled on branch                                                                                                |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.29'                                                                                 |                                                                                                                       |
|         |                        |                                | Info: 'allow deletion'                                                                                            |                                                                                                                       |
|         |                        |                                | disabled on branch                                                                                                |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.28'                                                                                 |                                                                                                                       |
|         |                        |                                | Info: 'allow deletion'                                                                                            |                                                                                                                       |
|         |                        |                                | disabled on branch                                                                                                |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.27'                                                                                 |                                                                                                                       |
|         |                        |                                | Info: 'allow deletion'                                                                                            |                                                                                                                       |
|         |                        |                                | disabled on branch                                                                                                |                                                                                                                       |
|         |                        |                                | 'addon-resizer-release-1.8'                                                                                       |                                                                                                                       |
|         |                        |                                | Info: 'allow deletion'                                                                                            |                                                                                                                       |
|         |                        |                                | disabled on branch                                                                                                |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.26'                                                                                 |                                                                                                                       |
|         |                        |                                | Info: 'force pushes' disabled                                                                                     |                                                                                                                       |
|         |                        |                                | on branch 'master' Info: 'force                                                                                   |                                                                                                                       |
|         |                        |                                | pushes' disabled on branch                                                                                        |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.30'                                                                                 |                                                                                                                       |
|         |                        |                                | Info: 'force pushes'                                                                                              |                                                                                                                       |
|         |                        |                                | disabled on branch                                                                                                |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.29'                                                                                 |                                                                                                                       |
|         |                        |                                | Info: 'force pushes'                                                                                              |                                                                                                                       |
|         |                        |                                | disabled on branch                                                                                                |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.28'                                                                                 |                                                                                                                       |
|         |                        |                                | Info: 'force pushes'                                                                                              |                                                                                                                       |
|         |                        |                                | disabled on branch                                                                                                |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.27'                                                                                 |                                                                                                                       |
|         |                        |                                | Info: 'force pushes'                                                                                              |                                                                                                                       |
|         |                        |                                | disabled on branch                                                                                                |                                                                                                                       |
|         |                        |                                | 'addon-resizer-release-1.8' Info:                                                                                 |                                                                                                                       |
|         |                        |                                | 'force pushes' disabled on branch                                                                                 |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.26'                                                                                 |                                                                                                                       |
|         |                        |                                | Warn: branch 'master' does not                                                                                    |                                                                                                                       |
|         |                        |                                | require approvers Warn: branch                                                                                    |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.30'                                                                                 |                                                                                                                       |
|         |                        |                                | does not require                                                                                                  |                                                                                                                       |
|         |                        |                                | approvers Warn: branch                                                                                            |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.29'                                                                                 |                                                                                                                       |
|         |                        |                                | does not require                                                                                                  |                                                                                                                       |
|         |                        |                                | approvers Warn: branch                                                                                            |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.28'                                                                                 |                                                                                                                       |
|         |                        |                                | does not require                                                                                                  |                                                                                                                       |
|         |                        |                                | approvers Warn: branch                                                                                            |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.27'                                                                                 |                                                                                                                       |
|         |                        |                                | does not require                                                                                                  |                                                                                                                       |
|         |                        |                                | approvers Warn: branch                                                                                            |                                                                                                                       |
|         |                        |                                | 'addon-resizer-release-1.8'                                                                                       |                                                                                                                       |
|         |                        |                                | does not require                                                                                                  |                                                                                                                       |
|         |                        |                                | approvers Warn: branch                                                                                            |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.26'                                                                                 |                                                                                                                       |
|         |                        |                                | does not require approvers                                                                                        |                                                                                                                       |
|         |                        |                                | Warn: codeowners review is not                                                                                    |                                                                                                                       |
|         |                        |                                | required on branch 'master'                                                                                       |                                                                                                                       |
|         |                        |                                | Warn: codeowners review                                                                                           |                                                                                                                       |
|         |                        |                                | is not required on branch                                                                                         |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.30'                                                                                 |                                                                                                                       |
|         |                        |                                | Warn: codeowners review                                                                                           |                                                                                                                       |
|         |                        |                                | is not required on branch                                                                                         |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.29'                                                                                 |                                                                                                                       |
|         |                        |                                | Warn: codeowners review                                                                                           |                                                                                                                       |
|         |                        |                                | is not required on branch                                                                                         |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.28'                                                                                 |                                                                                                                       |
|         |                        |                                | Warn: codeowners review                                                                                           |                                                                                                                       |
|         |                        |                                | is not required on branch                                                                                         |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.27'                                                                                 |                                                                                                                       |
|         |                        |                                | Warn: codeowners review                                                                                           |                                                                                                                       |
|         |                        |                                | is not required on branch                                                                                         |                                                                                                                       |
|         |                        |                                | 'addon-resizer-release-1.8'                                                                                       |                                                                                                                       |
|         |                        |                                | Warn: codeowners review                                                                                           |                                                                                                                       |
|         |                        |                                | is not required on branch                                                                                         |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.26'                                                                                 |                                                                                                                       |
|         |                        |                                | Info: status check found                                                                                          |                                                                                                                       |
|         |                        |                                | to merge onto on branch                                                                                           |                                                                                                                       |
|         |                        |                                | 'master' Info: status check                                                                                       |                                                                                                                       |
|         |                        |                                | found to merge onto on branch                                                                                     |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.30'                                                                                 |                                                                                                                       |
|         |                        |                                | Info: status check found                                                                                          |                                                                                                                       |
|         |                        |                                | to merge onto on branch                                                                                           |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.29'                                                                                 |                                                                                                                       |
|         |                        |                                | Info: status check found                                                                                          |                                                                                                                       |
|         |                        |                                | to merge onto on branch                                                                                           |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.28'                                                                                 |                                                                                                                       |
|         |                        |                                | Info: status check found                                                                                          |                                                                                                                       |
|         |                        |                                | to merge onto on branch                                                                                           |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.27'                                                                                 |                                                                                                                       |
|         |                        |                                | Info: status check found                                                                                          |                                                                                                                       |
|         |                        |                                | to merge onto on branch                                                                                           |                                                                                                                       |
|         |                        |                                | 'addon-resizer-release-1.8'                                                                                       |                                                                                                                       |
|         |                        |                                | Info: status check found                                                                                          |                                                                                                                       |
|         |                        |                                | to merge onto on branch                                                                                           |                                                                                                                       |
|         |                        |                                | 'cluster-autoscaler-release-1.26'                                                                                 |                                                                                                                       |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests               | 10 out of 10 merged PRs        | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#ci-tests           |
|         |                        | checked by a CI test -- score  |                                                                                                                   |
|         |                        | normalized to 10               |                                                                                                                   |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | CII-Best-Practices     | no effort to earn an OpenSSF   | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#cii-best-practices |
|         |                        | best practices badge detected  |                                                                                                                   |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Code-Review            | all changesets reviewed        | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#code-review        |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | project has 24 contributing    | Info: cloudfoundry-incubator                                                                                      | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#contributors           |
|         |                        | companies or organizations     | contributor org/company                                                                                           |                                                                                                                       |
|         |                        |                                | found, made-in-mim contributor                                                                                    |                                                                                                                       |
|         |                        |                                | org/company found, cohere-ai                                                                                      |                                                                                                                       |
|         |                        |                                | contributor org/company                                                                                           |                                                                                                                       |
|         |                        |                                | found, shouting at cloud                                                                                          |                                                                                                                       |
|         |                        |                                | contributor org/company                                                                                           |                                                                                                                       |
|         |                        |                                | found, kubernetes contributor                                                                                     |                                                                                                                       |
|         |                        |                                | org/company found, trinodb                                                                                        |                                                                                                                       |
|         |                        |                                | contributor org/company found,                                                                                    |                                                                                                                       |
|         |                        |                                | kubernetes @microsoft @azure                                                                                      |                                                                                                                       |
|         |                        |                                | contributor org/company found,                                                                                    |                                                                                                                       |
|         |                        |                                | sap-cloudfoundry contributor                                                                                      |                                                                                                                       |
|         |                        |                                | org/company found, gardener                                                                                       |                                                                                                                       |
|         |                        |                                | contributor org/company                                                                                           |                                                                                                                       |
|         |                        |                                | found, skyscanner contributor                                                                                     |                                                                                                                       |
|         |                        |                                | org/company found, red hat                                                                                        |                                                                                                                       |
|         |                        |                                | contributor org/company found,                                                                                    |                                                                                                                       |
|         |                        |                                | heni-project contributor                                                                                          |                                                                                                                       |
|         |                        |                                | org/company found, google                                                                                         |                                                                                                                       |
|         |                        |                                | contributor org/company found,                                                                                    |                                                                                                                       |
|         |                        |                                | starburstdata contributor                                                                                         |                                                                                                                       |
|         |                        |                                | org/company found, Azure                                                                                          |                                                                                                                       |
|         |                        |                                | contributor org/company                                                                                           |                                                                                                                       |
|         |                        |                                | found, sap contributor                                                                                            |                                                                                                                       |
|         |                        |                                | org/company found, Skyscanner                                                                                     |                                                                                                                       |
|         |                        |                                | contributor org/company                                                                                           |                                                                                                                       |
|         |                        |                                | found, GoogleCloudPlatform                                                                                        |                                                                                                                       |
|         |                        |                                | contributor org/company                                                                                           |                                                                                                                       |
|         |                        |                                | found, kubernetes-sigs                                                                                            |                                                                                                                       |
|         |                        |                                | contributor org/company found,                                                                                    |                                                                                                                       |
|         |                        |                                | SAP contributor org/company                                                                                       |                                                                                                                       |
|         |                        |                                | found, DataDog contributor                                                                                        |                                                                                                                       |
|         |                        |                                | org/company found, googlers                                                                                       |                                                                                                                       |
|         |                        |                                | contributor org/company                                                                                           |                                                                                                                       |
|         |                        |                                | found, microsoft contributor                                                                                      |                                                                                                                       |
|         |                        |                                | org/company found, datadog                                                                                        |                                                                                                                       |
|         |                        |                                | contributor org/company found,                                                                                    |                                                                                                                       |
|         |                        |                                |                                                                                                                   |                                                                                                                       |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#dangerous-workflow |
|         |                        | detected                       |                                                                                                                   |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected           | Info: detected update                                                                                             | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#dependency-update-tool |
|         |                        |                                | tool: Dependabot:                                                                                                 |                                                                                                                       |
|         |                        |                                | .github/dependabot.yml:1                                                                                          |                                                                                                                       |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Fuzzing                | project is not fuzzed          | Warn: no fuzzer integrations                                                                                      | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#fuzzing                |
|         |                        |                                | found                                                                                                             |                                                                                                                       |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | Info: project has a license                                                                                       | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#license                |
|         |                        |                                | file: LICENSE:0 Info: FSF or                                                                                      |                                                                                                                       |
|         |                        |                                | OSI recognized license: Apache                                                                                    |                                                                                                                       |
|         |                        |                                | License 2.0: LICENSE:0                                                                                            |                                                                                                                       |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 30 commit(s) and 2 issue       | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#maintained         |
|         |                        | activity found in the last 90  |                                                                                                                   |
|         |                        | days -- score normalized to 10 |                                                                                                                   |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Packaging              | packaging workflow not         | Warn: no GitHub/GitLab                                                                                            | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#packaging              |
|         |                        | detected                       | publishing workflow detected.                                                                                     |                                                                                                                       |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | Info: Possibly incomplete results: error parsing shell code: > must be followed by                                | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   | a word: cluster-autoscaler/cloudprovider/hetzner/examples/cloud-init.txt:0 Info:                                  |                                                                                                                       |
|         |                        | to 0                           | Possibly incomplete results: error parsing shell code: > must be followed by a word:                              |                                                                                                                       |
|         |                        |                                | cluster-autoscaler/cloudprovider/kamatera/examples/server-init-kubeadm.sh.txt:0 Warn: GitHub-owned                |                                                                                                                       |
|         |                        |                                | GitHubAction not pinned by hash: .github/workflows/ci.yaml:18: update your workflow using                         |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/ci.yaml/master?enable=pin Warn:                  |                                                                                                                       |
|         |                        |                                | GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:22: update your workflow                  |                                                                                                                       |
|         |                        |                                | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/ci.yaml/master?enable=pin                  |                                                                                                                       |
|         |                        |                                | Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr.yaml:14: update your workflow            |                                                                                                                       |
|         |                        |                                | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/pr.yaml/master?enable=pin                  |                                                                                                                       |
|         |                        |                                | Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yaml:16: update your workflow             |                                                                                                                       |
|         |                        |                                | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/pr.yaml/master?enable=pin                  |                                                                                                                       |
|         |                        |                                | Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr.yaml:31: update your workflow            |                                                                                                                       |
|         |                        |                                | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/pr.yaml/master?enable=pin                  |                                                                                                                       |
|         |                        |                                | Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yaml:35: update your workflow             |                                                                                                                       |
|         |                        |                                | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/pr.yaml/master?enable=pin                  |                                                                                                                       |
|         |                        |                                | Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yaml:48: update your workflow             |                                                                                                                       |
|         |                        |                                | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/pr.yaml/master?enable=pin                  |                                                                                                                       |
|         |                        |                                | Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr.yaml:60: update your workflow            |                                                                                                                       |
|         |                        |                                | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/pr.yaml/master?enable=pin                  |                                                                                                                       |
|         |                        |                                | Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yaml:62: update your workflow             |                                                                                                                       |
|         |                        |                                | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/pr.yaml/master?enable=pin Warn:            |                                                                                                                       |
|         |                        |                                | GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:11: update your workflow             |                                                                                                                       |
|         |                        |                                | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/release.yaml/master?enable=pin             |                                                                                                                       |
|         |                        |                                | Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:21: update your workflow        |                                                                                                                       |
|         |                        |                                | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/release.yaml/master?enable=pin             |                                                                                                                       |
|         |                        |                                | Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:29: update your workflow        |                                                                                                                       |
|         |                        |                                | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/release.yaml/master?enable=pin             |                                                                                                                       |
|         |                        |                                | Warn: containerImage not pinned by hash: addon-resizer/Dockerfile:15 Warn: containerImage not pinned              |                                                                                                                       |
|         |                        |                                | by hash: balancer/Dockerfile:1: pin your Docker image by updating gcr.io/distroless/static:latest to              |                                                                                                                       |
|         |                        |                                | gcr.io/distroless/static:latest@sha256:ce46866b3a5170db3b49364900fb3168dc0833dfb46c26da5c77f22abb01d8c3           |                                                                                                                       |
|         |                        |                                | Warn: containerImage not pinned by hash: builder/Dockerfile:15: pin your Docker image by updating                 |                                                                                                                       |
|         |                        |                                | golang:1.22.2 to golang:1.22.2@sha256:d5302d40dc5fbbf38ec472d1848a9d2391a13f93293a6a5b0b87c99dc0eaa6ae            |                                                                                                                       |
|         |                        |                                | Warn: containerImage not pinned by hash: cluster-autoscaler/Dockerfile.amd64:15 Warn:                             |                                                                                                                       |
|         |                        |                                | containerImage not pinned by hash: cluster-autoscaler/Dockerfile.arm64:15 Warn: containerImage                    |                                                                                                                       |
|         |                        |                                | not pinned by hash: cluster-autoscaler/Dockerfile.s390x:15 Warn: containerImage not pinned by                     |                                                                                                                       |
|         |                        |                                | hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.golang-tip:4:                 |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating buildpack-deps:buster-scm to                                                    |                                                                                                                       |
|         |                        |                                | buildpack-deps:buster-scm@sha256:17f1d5354613314ba0e249292483a3a3f13434bee5dea58a61e338e11f4bcacc                 |                                                                                                                       |
|         |                        |                                | Warn: containerImage not pinned by hash:                                                                          |                                                                                                                       |
|         |                        |                                | cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.10:1:                      |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating golang:1.10 to                                                                  |                                                                                                                       |
|         |                        |                                | golang:1.10@sha256:6d5e79878a3e4f1b30b7aa4d24fb6ee6184e905a9b172fc72593935633be4c46 Warn: containerImage not      |                                                                                                                       |
|         |                        |                                | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.11:1:      |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating golang:1.11 to                                                                  |                                                                                                                       |
|         |                        |                                | golang:1.11@sha256:e972c78795b22d5cfab02ac410aa2305fcc036319a7af51065d1af583cd3ec04 Warn: containerImage not      |                                                                                                                       |
|         |                        |                                | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.12:1:      |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating golang:1.12 to                                                                  |                                                                                                                       |
|         |                        |                                | golang:1.12@sha256:d0e79a9c39cdb3d71cc45fec929d1308d50420b79201467ec602b1b80cc314a8 Warn: containerImage not      |                                                                                                                       |
|         |                        |                                | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.13:1:      |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating golang:1.13 to                                                                  |                                                                                                                       |
|         |                        |                                | golang:1.13@sha256:8ebb6d5a48deef738381b56b1d4cd33d99a5d608e0d03c5fe8dfa3f68d41a1f8 Warn: containerImage not      |                                                                                                                       |
|         |                        |                                | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.14:1:      |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating golang:1.14 to                                                                  |                                                                                                                       |
|         |                        |                                | golang:1.14@sha256:1a7173b5b9a3af3e29a5837e0b2027e1c438fd1b83bbee8f221355087ad416d6 Warn: containerImage not      |                                                                                                                       |
|         |                        |                                | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.15:1:      |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating golang:1.15 to                                                                  |                                                                                                                       |
|         |                        |                                | golang:1.15@sha256:ea080cc817b02a946461d42c02891bf750e3916c52f7ea8187bccde8f312b59f Warn: containerImage not      |                                                                                                                       |
|         |                        |                                | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.16:1:      |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating golang:1.16 to                                                                  |                                                                                                                       |
|         |                        |                                | golang:1.16@sha256:5f6a4662de3efc6d6bb812d02e9de3d8698eea16b8eb7281f03e6f3e8383018e Warn: containerImage not      |                                                                                                                       |
|         |                        |                                | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.17:1:      |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating golang:1.17 to                                                                  |                                                                                                                       |
|         |                        |                                | golang:1.17@sha256:87262e4a4c7db56158a80a18fefdc4fee5accc41b59cde821e691d05541bbb18 Warn: containerImage not      |                                                                                                                       |
|         |                        |                                | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.18:1:      |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating golang:1.18 to                                                                  |                                                                                                                       |
|         |                        |                                | golang:1.18@sha256:50c889275d26f816b5314fc99f55425fa76b18fcaf16af255f5d57f09e1f48da Warn: containerImage not      |                                                                                                                       |
|         |                        |                                | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.19:1:      |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating golang:1.19 to                                                                  |                                                                                                                       |
|         |                        |                                | golang:1.19@sha256:3025bf670b8363ec9f1b4c4f27348e6d9b7fec607c47e401e40df816853e743a Warn: containerImage not      |                                                                                                                       |
|         |                        |                                | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.5:1:       |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating golang:1.5 to                                                                   |                                                                                                                       |
|         |                        |                                | golang:1.5@sha256:3be07b667a868a246b9cee4ddc5ecce2ad1e211958bd6043a25fc1d19d55e6ba Warn: containerImage not       |                                                                                                                       |
|         |                        |                                | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.6:1:       |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating golang:1.6 to                                                                   |                                                                                                                       |
|         |                        |                                | golang:1.6@sha256:29116f0f6cd2ef6a882639ee222ccb6e2f6d88a1d97d461aaf4c4a2622d252a1 Warn: containerImage not       |                                                                                                                       |
|         |                        |                                | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.7:1:       |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating golang:1.7 to                                                                   |                                                                                                                       |
|         |                        |                                | golang:1.7@sha256:93b2b52f1212e97b6650bde1f20f6a359b08c117c57a848970d615fe88623a3d Warn: containerImage not       |                                                                                                                       |
|         |                        |                                | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.8:1:       |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating golang:1.8 to                                                                   |                                                                                                                       |
|         |                        |                                | golang:1.8@sha256:f0b5dab7581eddb49dabd1d1b9aa505ca3edcdf79a66395b5bfa4f3c036b49ef Warn: containerImage not       |                                                                                                                       |
|         |                        |                                | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.9:1:       |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating golang:1.9 to                                                                   |                                                                                                                       |
|         |                        |                                | golang:1.9@sha256:8b5968585131604a92af02f5690713efadf029cc8dad53f79280b87a80eb1354 Warn: containerImage not       |                                                                                                                       |
|         |                        |                                | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.gotip:1        |                                                                                                                       |
|         |                        |                                | Warn: containerImage not pinned by hash:                                                                          |                                                                                                                       |
|         |                        |                                | cluster-autoscaler/cloudprovider/bizflycloud/gobizfly/Dockerfile:3 Warn: containerImage not pinned by hash:       |                                                                                                                       |
|         |                        |                                | cluster-autoscaler/cloudprovider/bizflycloud/gobizfly/Dockerfile:20 Warn: containerImage not pinned by hash:      |                                                                                                                       |
|         |                        |                                | cluster-autoscaler/cloudprovider/externalgrpc/examples/external-grpc-cloud-provider-service/Dockerfile.amd64:15   |                                                                                                                       |
|         |                        |                                | Warn: containerImage not pinned by hash:                                                                          |                                                                                                                       |
|         |                        |                                | cluster-autoscaler/cloudprovider/externalgrpc/examples/external-grpc-cloud-provider-service/Dockerfile.arm64:15   |                                                                                                                       |
|         |                        |                                | Warn: containerImage not pinned by hash: vertical-pod-autoscaler/hack/e2e/Dockerfile.externalmetrics-writer:15:   |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating python:3.10-slim to                                                             |                                                                                                                       |
|         |                        |                                | python:3.10-slim@sha256:8666a639a54acc810408e505e2c6b46b50834385701675ee177f578b3d2fdef9 Warn:                    |                                                                                                                       |
|         |                        |                                | containerImage not pinned by hash: vertical-pod-autoscaler/pkg/admission-controller/Dockerfile:15 Warn:           |                                                                                                                       |
|         |                        |                                | containerImage not pinned by hash: vertical-pod-autoscaler/pkg/admission-controller/Dockerfile:27:                |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating gcr.io/distroless/static:latest to                                              |                                                                                                                       |
|         |                        |                                | gcr.io/distroless/static:latest@sha256:ce46866b3a5170db3b49364900fb3168dc0833dfb46c26da5c77f22abb01d8c3           |                                                                                                                       |
|         |                        |                                | Warn: containerImage not pinned by hash: vertical-pod-autoscaler/pkg/recommender/Dockerfile:15                    |                                                                                                                       |
|         |                        |                                | Warn: containerImage not pinned by hash: vertical-pod-autoscaler/pkg/recommender/Dockerfile:27:                   |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating gcr.io/distroless/static:latest to                                              |                                                                                                                       |
|         |                        |                                | gcr.io/distroless/static:latest@sha256:ce46866b3a5170db3b49364900fb3168dc0833dfb46c26da5c77f22abb01d8c3           |                                                                                                                       |
|         |                        |                                | Warn: containerImage not pinned by hash: vertical-pod-autoscaler/pkg/updater/Dockerfile:15                        |                                                                                                                       |
|         |                        |                                | Warn: containerImage not pinned by hash: vertical-pod-autoscaler/pkg/updater/Dockerfile:27:                       |                                                                                                                       |
|         |                        |                                | pin your Docker image by updating gcr.io/distroless/static:latest to                                              |                                                                                                                       |
|         |                        |                                | gcr.io/distroless/static:latest@sha256:ce46866b3a5170db3b49364900fb3168dc0833dfb46c26da5c77f22abb01d8c3           |                                                                                                                       |
|         |                        |                                | Warn: goCommand not pinned by hash: builder/Dockerfile:24 Warn: pipCommand not pinned by hash:                    |                                                                                                                       |
|         |                        |                                | vertical-pod-autoscaler/hack/e2e/Dockerfile.externalmetrics-writer:16 Warn: goCommand not pinned by hash:         |                                                                                                                       |
|         |                        |                                | addon-resizer/vendor/github.com/googleapis/gnostic/extensions/COMPILE-EXTENSION.sh:1 Warn: goCommand not          |                                                                                                                       |
|         |                        |                                | pinned by hash: addon-resizer/vendor/github.com/json-iterator/go/build.sh:10 Warn: goCommand not pinned by        |                                                                                                                       |
|         |                        |                                | hash: hack/install-verify-tools.sh:23 Warn: goCommand not pinned by hash: hack/install-verify-tools.sh:25         |                                                                                                                       |
|         |                        |                                | Warn: goCommand not pinned by hash: hack/install-verify-tools.sh:27 Warn: goCommand not pinned by hash:           |                                                                                                                       |
|         |                        |                                | vertical-pod-autoscaler/e2e/vendor/github.com/json-iterator/go/build.sh:10 Warn: goCommand not pinned by          |                                                                                                                       |
|         |                        |                                | hash: vertical-pod-autoscaler/e2e/vendor/google.golang.org/grpc/regenerate.sh:35 Warn: goCommand not pinned       |                                                                                                                       |
|         |                        |                                | by hash: vertical-pod-autoscaler/e2e/vendor/google.golang.org/grpc/vet.sh:37 Warn: goCommand not pinned by        |                                                                                                                       |
|         |                        |                                | hash: vertical-pod-autoscaler/vendor/github.com/json-iterator/go/build.sh:10 Info:   0 out of   6 GitHub-owned    |                                                                                                                       |
|         |                        |                                | GitHubAction dependencies pinned Info:   0 out of   6 third-party GitHubAction dependencies pinned Info:   0      |                                                                                                                       |
|         |                        |                                | out of  34 containerImage dependencies pinned Info:   5 out of  15 goCommand dependencies pinned Info:   0 out    |                                                                                                                       |
|         |                        |                                | of   1 pipCommand dependencies pinned                                                                             |                                                                                                                       |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | SAST                   | SAST tool is not run on all    | Warn: 0 commits out of 30 are                                                                                     | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#sast                   |
|         |                        | commits -- score normalized to | checked with a SAST tool                                                                                          |                                                                                                                       |
|         |                        | 0                              |                                                                                                                   |                                                                                                                       |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy        | security policy file detected  | Info: security policy file detected:                                                                              | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#security-policy        |
|         |                        |                                | github.com/kubernetes/.github/SECURITY.md:1                                                                       |                                                                                                                       |
|         |                        |                                | Info: Found linked content:                                                                                       |                                                                                                                       |
|         |                        |                                | github.com/kubernetes/.github/SECURITY.md:1                                                                       |                                                                                                                       |
|         |                        |                                | Info: Found disclosure, vulnerability,                                                                            |                                                                                                                       |
|         |                        |                                | and/or timelines in security policy:                                                                              |                                                                                                                       |
|         |                        |                                | github.com/kubernetes/.github/SECURITY.md:1                                                                       |                                                                                                                       |
|         |                        |                                | Info: Found text in security policy:                                                                              |                                                                                                                       |
|         |                        |                                | github.com/kubernetes/.github/SECURITY.md:1                                                                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Signed-Releases        | no releases found              | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#signed-releases    |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Token-Permissions      | GitHub workflow tokens follow  | Info: jobLevel 'contents'                                                                                         | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#token-permissions      |
|         |                        | principle of least privilege   | permission set to 'read':                                                                                         |                                                                                                                       |
|         |                        |                                | .github/workflows/pr.yaml:7                                                                                       |                                                                                                                       |
|         |                        |                                | Info: jobLevel 'pull-requests'                                                                                    |                                                                                                                       |
|         |                        |                                | permission set to 'read':                                                                                         |                                                                                                                       |
|         |                        |                                | .github/workflows/pr.yaml:8                                                                                       |                                                                                                                       |
|         |                        |                                | Warn: jobLevel 'contents'                                                                                         |                                                                                                                       |
|         |                        |                                | permission set to 'write':                                                                                        |                                                                                                                       |
|         |                        |                                | .github/workflows/release.yaml:7                                                                                  |                                                                                                                       |
|         |                        |                                | Info: topLevel 'contents'                                                                                         |                                                                                                                       |
|         |                        |                                | permission set to 'read':                                                                                         |                                                                                                                       |
|         |                        |                                | .github/workflows/ci.yaml:11                                                                                      |                                                                                                                       |
|         |                        |                                | Info: topLevel 'contents'                                                                                         |                                                                                                                       |
|         |                        |                                | permission set to 'read':                                                                                         |                                                                                                                       |
|         |                        |                                | .github/workflows/pr.yaml:2                                                                                       |                                                                                                                       |
|         |                        |                                | Info: topLevel 'contents'                                                                                         |                                                                                                                       |
|         |                        |                                | permission set to 'read':                                                                                         |                                                                                                                       |
|         |                        |                                | .github/workflows/release.yaml:2                                                                                  |                                                                                                                       |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Vulnerabilities        | 22 existing vulnerabilities    | Warn: Project is vulnerable                                                                                       | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#vulnerabilities        |
|         |                        | detected                       | to: GHSA-69cg-p879-7622                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2022-0969 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-fxg5-wq6x-vr4w                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2023-1495 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-xrjj-mj9h-534m                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2022-1144 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-vvpx-j8f3-3w6h                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2023-1571 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-2wrh-6pvc-2jm9                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2023-1988 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-4374-p667-p6c8                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2023-2102 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable to:                                                                                         |                                                                                                                       |
|         |                        |                                | GHSA-qppj-fm5r-hxr3 Warn:                                                                                         |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-4v7x-pqxf-cx7m                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2024-2687 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-69ch-w2m2-3vjp                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2022-1059 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-8r3f-844c-mc37                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2024-2611 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-v23v-6jw2-98fq                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2024-3005 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-m5vv-6r4h-3vj9 /                                                                                         |                                                                                                                       |
|         |                        |                                | GO-2024-2918 Warn: Project is                                                                                     |                                                                                                                       |
|         |                        |                                | vulnerable to: GO-2022-0646                                                                                       |                                                                                                                       |
|         |                        |                                | Warn: Project is vulnerable                                                                                       |                                                                                                                       |
|         |                        |                                | to: GHSA-rcjv-mgp8-qvmr                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2023-2113 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-6xv5-86q9-7xr8                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2023-2048 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-xr7r-f8xq-vfvv                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2024-2491 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-8pgv-569h-w5rw                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2023-2331 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-45x7-px36-x8w8                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2023-2402 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-m425-mq94-257g                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2023-2153 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable to:                                                                                         |                                                                                                                       |
|         |                        |                                | GHSA-hq6q-c2x6-hmch Warn:                                                                                         |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-pxhw-596r-rwq5                                                                                           |                                                                                                                       |
|         |                        |                                | / GO-2024-2746 Warn:                                                                                              |                                                                                                                       |
|         |                        |                                | Project is vulnerable                                                                                             |                                                                                                                       |
|         |                        |                                | to: GHSA-82m2-cv7p-4m75 /                                                                                         |                                                                                                                       |
|         |                        |                                | GO-2024-2994                                                                                                      |                                                                                                                       |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|

@ivankatliarchuk ivankatliarchuk linked a pull request Aug 14, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(github-actions): added badge and scorecard ivankatliarchuk/autoscaler-fork
1 participant
@ivankatliarchuk