Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSF Scorecard #178

Open
DerekNonGeneric opened this issue Dec 10, 2022 · 0 comments
Open

OpenSSF Scorecard #178

DerekNonGeneric opened this issue Dec 10, 2022 · 0 comments

Comments

@DerekNonGeneric
Copy link
Member

I mentioned to @yuvilio (via email) that we would be striving towards maxing out OpenSSF Scorecard.

Let's be sure that while resolving #147 (specifically the deps automerge), those principles are respected (inlined for convenience):

Name Description Risk Level Token Required Note
Binary-Artifacts Is the project free of checked-in binaries? High PAT, GITHUB_TOKEN
Branch-Protection Does the project use Branch Protection ? High PAT (repo or repo> public_repo), GITHUB_TOKEN certain settings are only supported with a maintainer PAT
CI-Tests Does the project run tests in CI, e.g. GitHub Actions, Prow? Low PAT, GITHUB_TOKEN
CII-Best-Practices Does the project have an OpenSSF (formerly CII) Best Practices Badge? Low PAT, GITHUB_TOKEN
Code-Review Does the project require code review before code is merged? High PAT, GITHUB_TOKEN
Contributors Does the project have contributors from at least two different organizations? Low PAT, GITHUB_TOKEN
Dangerous-Workflow Does the project avoid dangerous coding patterns in GitHub Action workflows? Critical PAT, GITHUB_TOKEN
Dependency-Update-Tool Does the project use tools to help update its dependencies? High PAT, GITHUB_TOKEN
Fuzzing Does the project use fuzzing tools, e.g. OSS-Fuzz? Medium PAT, GITHUB_TOKEN
License Does the project declare a license? Low PAT, GITHUB_TOKEN
Maintained Is the project at least 90 days old, and maintained? High PAT, GITHUB_TOKEN
Pinned-Dependencies Does the project declare and pin dependencies? Medium PAT, GITHUB_TOKEN
Packaging Does the project build and publish official packages from CI/CD, e.g. GitHub Publishing ? Medium PAT, GITHUB_TOKEN
SAST Does the project use static code analysis tools, e.g. CodeQL, LGTM (deprecated), SonarCloud? Medium PAT, GITHUB_TOKEN
Security-Policy Does the project contain a security policy? Medium PAT, GITHUB_TOKEN
Signed-Releases Does the project cryptographically sign releases? High PAT, GITHUB_TOKEN
Token-Permissions Does the project declare GitHub workflow tokens as read only? High PAT, GITHUB_TOKEN
Vulnerabilities Does the project have unfixed vulnerabilities? Uses the OSV service. High PAT, GITHUB_TOKEN
Webhooks Does the webhook defined in the repository have a token configured to authenticate the origins of requests? High maintainer PAT (admin: repo_hook or admin> read:repo_hook doc EXPERIMENTAL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DerekNonGeneric