Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Openssf Scorecard results #380

Open
andreaTP opened this issue Jun 7, 2024 · 1 comment
Open

Openssf Scorecard results #380

andreaTP opened this issue Jun 7, 2024 · 1 comment

Comments

@andreaTP
Copy link
Collaborator

andreaTP commented Jun 7, 2024

Thanks to @zroll talk at JNation I have discovered the existence of this tool and spent 5 minutes to test it out, those are the results on this reposiory:

Aggregate score: 5.7 / 10
RESULTS
-------
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Binary-Artifacts       | binaries present in source     | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#binary-artifacts       |
|         |                        | code                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10  | Branch-Protection      | branch protection is not       | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all |                                                                                                                       |
|         |                        | release branches               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests               | 16 out of 16 merged PRs        | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | CII-Best-Practices     | no effort to earn an OpenSSF   | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#cii-best-practices     |
|         |                        | best practices badge detected  |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Code-Review            | all changesets reviewed        | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#code-review            |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | project has 27 contributing    | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#contributors           |
|         |                        | companies or organizations     |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected           | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Fuzzing                | project is not fuzzed          | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#fuzzing                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#license                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 30 commit(s) and 15 issue      | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#maintained             |
|         |                        | activity found in the last 90  |                                                                                                                       |
|         |                        | days -- score normalized to 10 |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Packaging              | packaging workflow detected    | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#packaging              |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   |                                                                                                                       |
|         |                        | to 1                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | SAST                   | SAST tool is not run on all    | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#sast                   |
|         |                        | commits -- score normalized to |                                                                                                                       |
|         |                        | 0                              |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Security-Policy        | security policy file not       | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#security-policy        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Signed-Releases        | no releases found              | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#signed-releases        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Token-Permissions      | detected GitHub workflow       | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#token-permissions      |
|         |                        | tokens with excessive          |                                                                                                                       |
|         |                        | permissions                    |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | 0 existing vulnerabilities     | https://github.com/ossf/scorecard/blob/36d8ad7a6037cdfbd8a42bf0bbca0c4852f7af25/docs/checks.md#vulnerabilities        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

We don't want to revisit everything to have a "perfect score", but I would welcome low touch improvements over those metrics.
@mfirry
Copy link
Contributor

mfirry commented Oct 11, 2024

Hi, #572 is pinning two github actions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mfirry @andreaTP