Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] openssf scorecard #2798

Open
andy778 opened this issue Mar 16, 2024 · 0 comments
Open

[Feature Request] openssf scorecard #2798

andy778 opened this issue Mar 16, 2024 · 0 comments
Labels
continuous integration tests

Comments

@andy778
Copy link

andy778 commented Mar 16, 2024

Would be good to get added https://securityscorecards.dev/ to better know where next improvements could happen and when evaluating the risk of using a component like this.

`scorecard --repo=https://github.com/plotly/dash
Starting [Packaging]
Starting [Security-Policy]
Starting [Pinned-Dependencies]
Starting [Signed-Releases]
Starting [Code-Review]
Starting [CI-Tests]
Starting [CII-Best-Practices]
Starting [Token-Permissions]
Starting [License]
Starting [Maintained]
Starting [SAST]
Starting [Binary-Artifacts]
Starting [Branch-Protection]
Starting [Contributors]
Starting [Fuzzing]
Starting [Vulnerabilities]
Starting [Dependency-Update-Tool]
Starting [Dangerous-Workflow]
Finished [Code-Review]
Finished [CI-Tests]
Finished [CII-Best-Practices]
Finished [Token-Permissions]
Finished [Packaging]
Finished [Security-Policy]
Finished [Pinned-Dependencies]
Finished [Signed-Releases]
Finished [SAST]
Finished [Binary-Artifacts]
Finished [License]
Finished [Maintained]
Finished [Branch-Protection]
Finished [Contributors]
Finished [Fuzzing]
Finished [Vulnerabilities]
Finished [Dependency-Update-Tool]
Finished [Dangerous-Workflow]

RESULTS

Aggregate score: 5.4 / 10

Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 8 / 10 | Branch-Protection | branch protection is not | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#branch-protection |
| | | maximal on development and all | |
| | | release branches | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests | 7 out of 7 merged PRs | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#ci-tests |
| | | checked by a CI test -- score | |
| | | normalized to 10 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 8 / 10 | Code-Review | found 1 unreviewed changesets | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#code-review |
| | | out of 7 -- score normalized | |
| | | to 8 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | 25 different organizations | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#contributors |
| | | found -- score normalized to | |
| | | 10 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#fuzzing |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License | license file detected | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#license |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained | 30 commit(s) out of 30 and 1 | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#maintained |
| | | issue activity out of 30 found | |
| | | in the last 90 days -- score | |
| | | normalized to 10 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | no published package detected | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#packaging |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 4 / 10 | Pinned-Dependencies | dependency not pinned by hash | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | |
| | | to 4 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | SAST tool is not run on all | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#sast |
| | | commits -- score normalized to | |
| | | 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#security-policy |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Signed-Releases | 0 out of 1 artifacts are | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#signed-releases |
| | | signed or have provenance | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | detected GitHub workflow | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#token-permissions |
| | | tokens with excessive | |
| | | permissions | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Vulnerabilities | 46 existing vulnerabilities | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
`
@andy778 andy778 changed the title [Feature Request] opensssf scorecard [Feature Request] openssf scorecard Mar 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
continuous integration tests
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andy778 @Coding-with-Adam @ndrezn