Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create GitHub action for ossf_scorecard.yml #739

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Create GitHub action for ossf_scorecard.yml #739

wants to merge 1 commit into from
+69 −0

Conversation

moshekaplan
Copy link
Contributor

Create GitHub action job to generate an OpenSSF Scorecard

To quote https://github.com/ossf/scorecard#what-is-scorecard :

"We created Scorecard to help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe."

Once merged, the scorecard will be viewable here:
https://securityscorecards.dev/viewer/?uri=github.com/net-snmp/net-snmp

@moshekaplan
Create GitHub action for ossf_scorecard.yml
c2bcd86 
Create GitHub action job to generate an OpenSSF Scorecard

To quote https://github.com/ossf/scorecard#what-is-scorecard :

"We created Scorecard to help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe."

Once merged, the scorecard will be viewable here:
https://securityscorecards.dev/viewer/?uri=github.com/net-snmp/net-snmp
@moshekaplan
Copy link
Contributor Author 


RESULTS
-------
Aggregate score: 5.5 / 10

Check scores:
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                                                               DETAILS                                                                                |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo  |                                                                                                                                                                      | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#binary-artifacts       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Branch-Protection      | branch protection not enabled  | Warn: branch protection not                                                                                                                                          | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#branch-protection      |
|         |                        | on development/release         | enabled for branch 'master'                                                                                                                                          |                                                                                                                       |
|         |                        | branches                       |                                                                                                                                                                      |                                                                                                                       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10  | CI-Tests               | 12 out of 13 merged PRs        |                                                                                                                                                                      | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                                                                      |                                                                                                                       |
|         |                        | normalized to 9                |                                                                                                                                                                      |                                                                                                                       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | CII-Best-Practices     | no effort to earn an OpenSSF   |                                                                                                                                                                      | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#cii-best-practices     |
|         |                        | best practices badge detected  |                                                                                                                                                                      |                                                                                                                       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 4 / 10  | Code-Review            | found 15 unreviewed changesets |                                                                                                                                                                      | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#code-review            |
|         |                        | out of 28 -- score normalized  |                                                                                                                                                                      |                                                                                                                       |
|         |                        | to 4                           |                                                                                                                                                                      |                                                                                                                       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | 17 different organizations     | Info: contributors work for                                                                                                                                          | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#contributors           |
|         |                        | found -- score normalized to   | aristanetworks,aws,cmpct,devconfcz,freedict,gentoo,gentoo-haskell,gentoo-perl,graphics32,https://adalogics.com,llvm,net-snmp,openSUSE,pkgcore,redhatofficial,sarphti |                                                                                                                       |
|         |                        | 10                             | nrnu mephi,usc/isi                                                                                                                                                   |                                                                                                                       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns |                                                                                                                                                                      | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                                                                      |                                                                                                                       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Dependency-Update-Tool | no update tool detected        | Warn: tool 'RenovateBot' is not used: Follow the instructions from                                                                                                   | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#dependency-update-tool |
|         |                        |                                | https://docs.renovatebot.com/configuration-options/. (Low effort)                                                                                                    |                                                                                                                       |
|         |                        |                                | Warn: tool 'Dependabot' is not used: Follow the instructions from                                                                                                    |                                                                                                                       |
|         |                        |                                | https://docs.github.com/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.                                                        |                                                                                                                       |
|         |                        |                                | (Low effort) Warn: tool 'PyUp' is not used: Follow the instructions from https://docs.pyup.io/docs.                                                                  |                                                                                                                       |
|         |                        |                                | (Low effort) Warn: tool 'Sonatype Lift' is not used: Follow the instructions from                                                                                    |                                                                                                                       |
|         |                        |                                | https://help.sonatype.com/lift/getting-started. (Low effort)                                                                                                         |                                                                                                                       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Fuzzing                | project is fuzzed              | Info: CLibFuzzer integration found:                                                                                                                                  | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#fuzzing                |
|         |                        |                                | testing/fuzzing/agentx_parse_fuzzer.c:51                                                                                                                             |                                                                                                                       |
|         |                        |                                | Info: CLibFuzzer integration found:                                                                                                                                  |                                                                                                                       |
|         |                        |                                | testing/fuzzing/parse_octet_hint_fuzzer.c:51                                                                                                                         |                                                                                                                       |
|         |                        |                                | Info: CLibFuzzer integration found:                                                                                                                                  |                                                                                                                       |
|         |                        |                                | testing/fuzzing/read_objid_fuzzer.c:49                                                                                                                               |                                                                                                                       |
|         |                        |                                | Info: CLibFuzzer integration found:                                                                                                                                  |                                                                                                                       |
|         |                        |                                | testing/fuzzing/snmp_agent_e2e_fuzzer.c:54                                                                                                                           |                                                                                                                       |
|         |                        |                                | Info: CLibFuzzer integration found:                                                                                                                                  |                                                                                                                       |
|         |                        |                                | testing/fuzzing/snmp_api_fuzzer.c:64                                                                                                                                 |                                                                                                                       |
|         |                        |                                | Info: CLibFuzzer integration found:                                                                                                                                  |                                                                                                                       |
|         |                        |                                | testing/fuzzing/snmp_config_fuzzer.c:56                                                                                                                              |                                                                                                                       |
|         |                        |                                | Info: CLibFuzzer integration found:                                                                                                                                  |                                                                                                                       |
|         |                        |                                | testing/fuzzing/snmp_config_mem_fuzzer.c:49                                                                                                                          |                                                                                                                       |
|         |                        |                                | Info: CLibFuzzer integration found:                                                                                                                                  |                                                                                                                       |
|         |                        |                                | testing/fuzzing/snmp_e2e_fuzzer.c:84                                                                                                                                 |                                                                                                                       |
|         |                        |                                | Info: CLibFuzzer integration found:                                                                                                                                  |                                                                                                                       |
|         |                        |                                | testing/fuzzing/snmp_mib_fuzzer.c:59                                                                                                                                 |                                                                                                                       |
|         |                        |                                | Info: CLibFuzzer integration found:                                                                                                                                  |                                                                                                                       |
|         |                        |                                | testing/fuzzing/snmp_parse_fuzzer.c:57                                                                                                                               |                                                                                                                       |
|         |                        |                                | Info: CLibFuzzer integration found:                                                                                                                                  |                                                                                                                       |
|         |                        |                                | testing/fuzzing/snmp_parse_oid_fuzzer.c:53                                                                                                                           |                                                                                                                       |
|         |                        |                                | Info: CLibFuzzer integration found:                                                                                                                                  |                                                                                                                       |
|         |                        |                                | testing/fuzzing/snmp_pdu_parse_fuzzer.c:49                                                                                                                           |                                                                                                                       |
|         |                        |                                | Info: CLibFuzzer integration found:                                                                                                                                  |                                                                                                                       |
|         |                        |                                | testing/fuzzing/snmp_print_var_fuzzer.c:63                                                                                                                           |                                                                                                                       |
|         |                        |                                | Info: CLibFuzzer integration found:                                                                                                                                  |                                                                                                                       |
|         |                        |                                | testing/fuzzing/snmp_scoped_pdu_parse_fuzzer.c:49                                                                                                                    |                                                                                                                       |
|         |                        |                                | Info: CLibFuzzer integration found:                                                                                                                                  |                                                                                                                       |
|         |                        |                                | testing/fuzzing/snmp_transport_fuzzer.c:56                                                                                                                           |                                                                                                                       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10  | License                | license file detected          | Info: License file found in                                                                                                                                          | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#license                |
|         |                        |                                | expected location: COPYING:1                                                                                                                                         |                                                                                                                       |
|         |                        |                                | Warn: Any licence detected                                                                                                                                           |                                                                                                                       |
|         |                        |                                | not an FSF or OSI recognized                                                                                                                                         |                                                                                                                       |
|         |                        |                                | license: COPYING:1                                                                                                                                                   |                                                                                                                       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 30 commit(s) out of 30 and 0   |                                                                                                                                                                      | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#maintained             |
|         |                        | issue activity out of 30 found |                                                                                                                                                                      |                                                                                                                       |
|         |                        | in the last 90 days -- score   |                                                                                                                                                                      |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                                                                      |                                                                                                                       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Packaging              | no published package detected  | Warn: no GitHub/GitLab                                                                                                                                               | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#packaging              |
|         |                        |                                | publishing workflow detected                                                                                                                                         |                                                                                                                       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | Warn: GitHub-owned GitHubAction not pinned by hash:                                                                                                                  | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   | .github/workflows/buildtest.yml:20: update your workflow using                                                                                                       |                                                                                                                       |
|         |                        | to 0                           | https://app.stepsecurity.io/secureworkflow/net-snmp/net-snmp/buildtest.yml/master?enable=pin                                                                         |                                                                                                                       |
|         |                        |                                | Warn: GitHub-owned GitHubAction not pinned by hash:                                                                                                                  |                                                                                                                       |
|         |                        |                                | .github/workflows/codechecker.yml:13: update your workflow using                                                                                                     |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/net-snmp/net-snmp/codechecker.yml/master?enable=pin                                                                       |                                                                                                                       |
|         |                        |                                | Warn: GitHub-owned GitHubAction not pinned by hash:                                                                                                                  |                                                                                                                       |
|         |                        |                                | .github/workflows/codechecker.yml:74: update your workflow using                                                                                                     |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/net-snmp/net-snmp/codechecker.yml/master?enable=pin                                                                       |                                                                                                                       |
|         |                        |                                | Warn: GitHub-owned GitHubAction not pinned by hash:                                                                                                                  |                                                                                                                       |
|         |                        |                                | .github/workflows/codeql.yml:49: update your workflow using                                                                                                          |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/net-snmp/net-snmp/codeql.yml/master?enable=pin                                                                            |                                                                                                                       |
|         |                        |                                | Warn: GitHub-owned GitHubAction not pinned by hash:                                                                                                                  |                                                                                                                       |
|         |                        |                                | .github/workflows/codeql.yml:53: update your workflow using                                                                                                          |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/net-snmp/net-snmp/codeql.yml/master?enable=pin                                                                            |                                                                                                                       |
|         |                        |                                | Warn: GitHub-owned GitHubAction not pinned by hash:                                                                                                                  |                                                                                                                       |
|         |                        |                                | .github/workflows/codeql.yml:78: update your workflow using                                                                                                          |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/net-snmp/net-snmp/codeql.yml/master?enable=pin                                                                            |                                                                                                                       |
|         |                        |                                | Warn: GitHub-owned GitHubAction not pinned by hash:                                                                                                                  |                                                                                                                       |
|         |                        |                                | .github/workflows/coverity.yml:19: update your workflow using                                                                                                        |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/net-snmp/net-snmp/coverity.yml/master?enable=pin                                                                          |                                                                                                                       |
|         |                        |                                | Warn: downloadThenRun not pinned by hash: .github/workflows/codechecker.yml:22 Warn:                                                                                 |                                                                                                                       |
|         |                        |                                | downloadThenRun not pinned by hash: .github/workflows/codechecker.yml:31 Info:   0 out                                                                               |                                                                                                                       |
|         |                        |                                | of   7 GitHub-owned GitHubAction dependencies pinned Info:   0 out of   2 downloadThenRun                                                                            |                                                                                                                       |
|         |                        |                                | dependencies pinned                                                                                                                                                  |                                                                                                                       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 7 / 10  | SAST                   | SAST tool detected but not run | Warn: 0 commits out of 15 are                                                                                                                                        | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#sast                   |
|         |                        | on all commits                 | checked with a SAST tool Info:                                                                                                                                       |                                                                                                                       |
|         |                        |                                | SAST tool detected: CodeQL                                                                                                                                           |                                                                                                                       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Security-Policy        | security policy file not       | Warn: no security policy file detected: On GitHub: Enable private vulnerability disclosure in your repository settings                                               | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#security-policy        |
|         |                        | detected                       | https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository             |                                                                                                                       |
|         |                        |                                | Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in                                                |                                                                                                                       |
|         |                        |                                | https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability                          |                                                                                                                       |
|         |                        |                                | to report vulnerabilities. On GitLab: Add a section in your SECURITY.md indicating the process to disclose                                                           |                                                                                                                       |
|         |                        |                                | vulnerabilities for your project. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md,                                                                 |                                                                                                                       |
|         |                        |                                | https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md.                            |                                                                                                                       |
|         |                        |                                | For additional information on vulnerability disclosure, see https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md.                           |                                                                                                                       |
|         |                        |                                | (Medium effort) Warn: no security file to analyze: On GitHub: Enable private vulnerability disclosure in your repository settings                                    |                                                                                                                       |
|         |                        |                                | https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository             |                                                                                                                       |
|         |                        |                                | Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in                                                |                                                                                                                       |
|         |                        |                                | https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to                       |                                                                                                                       |
|         |                        |                                | report vulnerabilities. On GitLab: Provide a point of contact in your SECURITY.md. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md,                |                                                                                                                       |
|         |                        |                                | https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md.                            |                                                                                                                       |
|         |                        |                                | (Low effort) Warn: no security file to analyze: On GitHub: Enable private vulnerability disclosure in your repository settings                                       |                                                                                                                       |
|         |                        |                                | https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository             |                                                                                                                       |
|         |                        |                                | Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in                                                |                                                                                                                       |
|         |                        |                                | https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability                          |                                                                                                                       |
|         |                        |                                | to report vulnerabilities. On GitLab: Add a section in your SECURITY.md indicating the process to disclose                                                           |                                                                                                                       |
|         |                        |                                | vulnerabilities for your project. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md,                                                                 |                                                                                                                       |
|         |                        |                                | https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md.                            |                                                                                                                       |
|         |                        |                                | (Low effort) Warn: no security file to analyze: On GitHub: Enable private vulnerability disclosure in your repository settings                                       |                                                                                                                       |
|         |                        |                                | https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository             |                                                                                                                       |
|         |                        |                                | Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in                                                |                                                                                                                       |
|         |                        |                                | https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability                          |                                                                                                                       |
|         |                        |                                | to report vulnerabilities. On GitLab: Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.                         |                                                                                                                       |
|         |                        |                                | Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md,                    |                                                                                                                       |
|         |                        |                                | https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)                                                                                              |                                                                                                                       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Signed-Releases        | no releases found              | Warn: no GitHub releases found                                                                                                                                       | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#signed-releases        |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Token-Permissions      | detected GitHub workflow       | Warn: no topLevel permission defined: .github/workflows/buildtest.yml:1: Visit                                                                                       | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#token-permissions      |
|         |                        | tokens with excessive          | https://app.stepsecurity.io/secureworkflow/net-snmp/net-snmp/buildtest.yml/master?enable=permissions                                                                 |                                                                                                                       |
|         |                        | permissions                    | Tick the 'Restrict permissions for GITHUB_TOKEN' Untick other options NOTE: If you want to                                                                           |                                                                                                                       |
|         |                        |                                | resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.                                                                       |                                                                                                                       |
|         |                        |                                | (Low effort) Warn: no topLevel permission defined: .github/workflows/codechecker.yml:1: Visit                                                                        |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/net-snmp/net-snmp/codechecker.yml/master?enable=permissions                                                               |                                                                                                                       |
|         |                        |                                | Tick the 'Restrict permissions for GITHUB_TOKEN' Untick other options NOTE: If you want to                                                                           |                                                                                                                       |
|         |                        |                                | resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.                                                                       |                                                                                                                       |
|         |                        |                                | (Low effort) Warn: no topLevel permission defined: .github/workflows/codeql.yml:1: Visit                                                                             |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/net-snmp/net-snmp/codeql.yml/master?enable=permissions                                                                    |                                                                                                                       |
|         |                        |                                | Tick the 'Restrict permissions for GITHUB_TOKEN' Untick other options NOTE: If you want to                                                                           |                                                                                                                       |
|         |                        |                                | resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.                                                                       |                                                                                                                       |
|         |                        |                                | (Low effort) Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:34                                                                      |                                                                                                                       |
|         |                        |                                | Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:35                                                                                  |                                                                                                                       |
|         |                        |                                | Warn: no topLevel permission defined: .github/workflows/coverity.yml:1: Visit                                                                                        |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/net-snmp/net-snmp/coverity.yml/master?enable=permissions                                                                  |                                                                                                                       |
|         |                        |                                | Tick the 'Restrict permissions for GITHUB_TOKEN' Untick other options NOTE: If you want to resolve                                                                   |                                                                                                                       |
|         |                        |                                | multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)                                                                  |                                                                                                                       |
|         |                        |                                | Info: no jobLevel write permissions found                                                                                                                            |                                                                                                                       |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | no vulnerabilities detected    |                                                                                                                                                                      | https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#vulnerabilities        |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|

@bvanassche
Copy link
Contributor

I will leave it to others to decide whether or not they want this scorecard.

@bvanassche bvanassche force-pushed the master branch 4 times, most recently from cb93a70 to 0d0edb9 Compare January 4, 2024 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@moshekaplan @bvanassche