Comments (2)
justaugustus
commented on September 24, 2024
❯ scorecard version
GitVersion: unknown
GitCommit: unknown
GitTreeState: unknown
BuildDate: unknown
GoVersion: go1.17.5
Compiler: gc
Platform: darwin/amd64❯ time scorecard --repo=github.com/ossf/allstar --show-detailsStarting [Pinned-Dependencies]
Starting [Security-Policy]
Starting [Branch-Protection]
Starting [Token-Permissions]
Starting [CI-Tests]
Starting [License]
Starting [Contributors]
Starting [Maintained]
Starting [Code-Review]
Starting [Binary-Artifacts]
Starting [Fuzzing]
Starting [Vulnerabilities]
Starting [Signed-Releases]
Starting [Packaging]
Starting [Dependency-Update-Tool]
Starting [Dangerous-Workflow]
Starting [CII-Best-Practices]
Starting [SAST]
Finished [CII-Best-Practices]
Finished [SAST]
Finished [CI-Tests]
Finished [License]
Finished [Contributors]
Finished [Maintained]
Finished [Pinned-Dependencies]
Finished [Security-Policy]
Finished [Branch-Protection]
Finished [Token-Permissions]
Finished [Vulnerabilities]
Finished [Signed-Releases]
Finished [Code-Review]
Finished [Binary-Artifacts]
Finished [Fuzzing]
Finished [Dependency-Update-Tool]
Finished [Dangerous-Workflow]
Finished [Packaging]
RESULTS
-------
Aggregate score: 8.5 / 10
Check scores:
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | | https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 6 / 10 | Branch-Protection | branch protection is not | Info: 'force pushes' disabled | https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection |
| | | maximal on development and all | on branch 'main' Info: | |
| | | release branches | 'allow deletion' disabled on | |
| | | | branch 'main' Warn: no status | |
| | | | checks found to merge onto | |
| | | | branch 'main' Warn: number of | |
| | | | required reviewers is only 1 | |
| | | | on branch 'main' | |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 9 / 10 | CI-Tests | 29 out of 30 merged PRs | | https://github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests |
| | | checked by a CI test -- score | | |
| | | normalized to 9 | | |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no badge detected | | https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 10 / 10 | Code-Review | GitHub code reviews found for | Info: Gerrit code reviews | https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review |
| | | 30 commits out of the last 30 | found for 0 commits out of | |
| | | -- score normalized to 10 | the last 30 Info: Prow code | |
| | | | reviews found for 0 commits | |
| | | | out of the last 30 | |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 10 / 10 | Contributors | 6 different companies found -- | Info: contributors work for: | https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors |
| | | score normalized to 10 | kubernetes,clearlydefined,googlers,ossf,fog,gophergala | |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | | https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow |
| | | detected | | |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: Dependabot detected: | https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | | https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 10 / 10 | License | license file detected | Info: : LICENSE:1 | https://github.com/ossf/scorecard/blob/main/docs/checks.md#license |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 10 / 10 | Maintained | 30 commit(s) out of 30 and 13 | | https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained |
| | | issue activity out of 30 found | | |
| | | in the last 90 days -- score | | |
| | | normalized to 10 | | |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| ? | Packaging | no published package detected | Warn: no GitHub publishing | https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging |
| | | | workflow detected | |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 8 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: GitHub-owned action | https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | not pinned by hash: | |
| | | to 8 | .github/workflows/codeql-analysis.yml:28 | |
| | | | Warn: GitHub-owned action | |
| | | | not pinned by hash: | |
| | | | .github/workflows/codeql-analysis.yml:32 | |
| | | | Warn: GitHub-owned action | |
| | | | not pinned by hash: | |
| | | | .github/workflows/codeql-analysis.yml:38 | |
| | | | Warn: GitHub-owned action | |
| | | | not pinned by hash: | |
| | | | .github/workflows/codeql-analysis.yml:41 | |
| | | | Warn: GitHub-owned action not pinned | |
| | | | by hash: .github/workflows/pr.yaml:9 | |
| | | | Warn: third-party action not pinned | |
| | | | by hash: .github/workflows/pr.yaml:10 | |
| | | | Warn: GitHub-owned action not pinned | |
| | | | by hash: .github/workflows/pr.yaml:17 | |
| | | | Warn: GitHub-owned action not pinned | |
| | | | by hash: .github/workflows/pr.yaml:18 | |
| | | | Warn: GitHub-owned action not pinned | |
| | | | by hash: .github/workflows/pr.yaml:25 | |
| | | | Warn: GitHub-owned action not pinned | |
| | | | by hash: .github/workflows/pr.yaml:26 | |
| | | | Info: Dockerfile dependencies are | |
| | | | pinned Info: no insecure (not pinned | |
| | | | by hash) dependency downloads found | |
| | | | in Dockerfiles Info: no insecure (not | |
| | | | pinned by hash) dependency downloads | |
| | | | found in shell scripts Info: no | |
| | | | insecure (not pinned by hash) dependency | |
| | | | downloads found in GitHub workflows | |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 8 / 10 | SAST | SAST tool detected but not run | Warn: 13 commits out of 30 are | https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast |
| | | on all commmits | checked with a SAST tool Info: | |
| | | | SAST tool detected: CodeQL | |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy | security policy file detected | Info: security policy | https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy |
| | | | detected: SECURITY.md:1 | |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | Warn: no GitHub releases found | https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 9 / 10 | Token-Permissions | non read-only tokens detected | Warn: no top level permission defined: | https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions |
| | | in GitHub workflows | .github/workflows/codeql-analysis.yml:1 | |
| | | | Info: job level 'actions' | |
| | | | permission set to 'read': | |
| | | | .github/workflows/codeql-analysis.yml:17 | |
| | | | Info: job level 'contents' | |
| | | | permission set to 'read': | |
| | | | .github/workflows/codeql-analysis.yml:18 | |
| | | | Info: top level 'contents' permission set | |
| | | | to 'read': .github/workflows/pr.yaml:4 Info: | |
| | | | top level permissions set to 'read-all': | |
| | | | .github/workflows/scorecards-analysis.yml:11 | |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | no vulnerabilities detected | | https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities |
|---------|------------------------|--------------------------------|--------------------------------------------------------|-----------------------------------------------------------------------------------|
scorecard --repo=github.com/ossf/allstar --show-details 21.40s user 1.36s system 102% cpu 22.247 totalfrom allstar.
jeffmendoza
commented on September 24, 2024
https://github.com/ossf/allstar/blob/main/.github/workflows/scorecards-analysis.yml
from allstar.
Related Issues (20)
- [Feature Request]: Check rulesets for branch protection rules HOT 2
- Allstar not opening issue on a fork HOT 2
- FR: Add a check for pinned dependencies HOT 4
- OptConfig missing on GH action policies
- Having setup difficulty using ossf provided instance HOT 1
- Prevent enforcement of `Branch Protection` on archived repositories HOT 1
- Create GitHub private vulnerability reports as an action
- Policy for checking for arbitrary file existence HOT 8
- [bug] Issue in member repo is updated/edited when org config IssueRepo is set centrally HOT 1
- [improvement] Allow app running with --once to exit with error when policy errors are encountered HOT 1
- Time for a new release? HOT 4
- Feature: Add `issueDetails` option to the configuration files
- Emit logs with details about configuration origin and final configuration
- Outside collaborators should be override-able at the repo-level HOT 2
- Allstar operations overview follow-ups HOT 1
- Improve Allstar's Scorecard HOT 2
- Update emitted copy around OpenSSF Scorecard checks
- Document recent changes to the generic Scorecard policy HOT 1
- Interested in support for self-hosted GHE installation HOT 2
- Issue with Allstar Branch Protection Enforcement (404 errors upon action: fix) HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from allstar.