I mentioned to @yuvilio (via email) that we would be striving towards maxing out OpenSSF Scorecard.
Let's be sure that while resolving #147 (specifically the deps automerge), those principles are respected (inlined for convenience):
| Name |
Description |
Risk Level |
Token Required |
Note |
| Binary-Artifacts |
Is the project free of checked-in binaries? |
High |
PAT, GITHUB_TOKEN |
|
| Branch-Protection |
Does the project use Branch Protection ? |
High |
PAT (repo or repo> public_repo), GITHUB_TOKEN |
certain settings are only supported with a maintainer PAT |
| CI-Tests |
Does the project run tests in CI, e.g. GitHub Actions, Prow? |
Low |
PAT, GITHUB_TOKEN |
|
| CII-Best-Practices |
Does the project have an OpenSSF (formerly CII) Best Practices Badge? |
Low |
PAT, GITHUB_TOKEN |
|
| Code-Review |
Does the project require code review before code is merged? |
High |
PAT, GITHUB_TOKEN |
|
| Contributors |
Does the project have contributors from at least two different organizations? |
Low |
PAT, GITHUB_TOKEN |
|
| Dangerous-Workflow |
Does the project avoid dangerous coding patterns in GitHub Action workflows? |
Critical |
PAT, GITHUB_TOKEN |
|
| Dependency-Update-Tool |
Does the project use tools to help update its dependencies? |
High |
PAT, GITHUB_TOKEN |
|
| Fuzzing |
Does the project use fuzzing tools, e.g. OSS-Fuzz? |
Medium |
PAT, GITHUB_TOKEN |
|
| License |
Does the project declare a license? |
Low |
PAT, GITHUB_TOKEN |
|
| Maintained |
Is the project at least 90 days old, and maintained? |
High |
PAT, GITHUB_TOKEN |
|
| Pinned-Dependencies |
Does the project declare and pin dependencies? |
Medium |
PAT, GITHUB_TOKEN |
|
| Packaging |
Does the project build and publish official packages from CI/CD, e.g. GitHub Publishing ? |
Medium |
PAT, GITHUB_TOKEN |
|
| SAST |
Does the project use static code analysis tools, e.g. CodeQL, LGTM (deprecated), SonarCloud? |
Medium |
PAT, GITHUB_TOKEN |
|
| Security-Policy |
Does the project contain a security policy? |
Medium |
PAT, GITHUB_TOKEN |
|
| Signed-Releases |
Does the project cryptographically sign releases? |
High |
PAT, GITHUB_TOKEN |
|
| Token-Permissions |
Does the project declare GitHub workflow tokens as read only? |
High |
PAT, GITHUB_TOKEN |
|
| Vulnerabilities |
Does the project have unfixed vulnerabilities? Uses the OSV service. |
High |
PAT, GITHUB_TOKEN |
|
| Webhooks |
Does the webhook defined in the repository have a token configured to authenticate the origins of requests? |
High |
maintainer PAT (admin: repo_hook or admin> read:repo_hook doc |
EXPERIMENTAL |
I mentioned to @yuvilio (via email) that we would be striving towards maxing out OpenSSF Scorecard.
Let's be sure that while resolving #147 (specifically the deps automerge), those principles are respected (inlined for convenience):
repoorrepo> public_repo), GITHUB_TOKENadmin: repo_hookoradmin> read:repo_hookdoc