-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce an OpenSSF Scorecard profile #192
base: main
Are you sure you want to change the base?
Conversation
- type: artifact_signature | ||
params: | ||
tags: [main] | ||
name: test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can omit the name
and then the ruletype will apply to all artifacts
# Packaging | ||
- type: codeql_enabled # SAST | ||
def: | ||
languages: [go, javascript, typescript] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I /think/ we can omit the languages and rely on codeQL's autodetection and autobuild (but I will verify this before approving)
license_filename: LICENSE | ||
license_type: "" | ||
# Maintained | ||
- type: actions_check_pinned_tags # Pinned-Dependencies for Actions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs a def
- type: security_policy # Security-Policy | ||
def: | ||
filename: SECURITY.md | ||
- type: default_workflow_permissions # Token-Permissions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs a def
One of my goals using Minder is to improve my repository's OpenSSF Scorecard score, since Minder can automatically remediate findings. Minder does not yet have rules to evaluate the full scope of the OpenSSF Scorecard, nor remediate it, but it will still help detect and improve findings.