-
**Describe the bug**
Run OSS CLI on public GH repo with valid GH PAT - get 422 error for dependabot commit search.
Related to issue #3607
**Reproduction steps**
Steps to reproduce the behavi…
-
Adding a Security Policy is important to provide guidance on how users can report potential vulnerabilities and communicate when vulnerabilities will be confirmed, fixed and disclosed to the public. W…
-
Hi :wave: as a project in the working group "[Identifying Security Threats](https://openssf.slack.com/archives/C01A50B978T)", we are working on the [SECURITY-INSIGHTS.yml specification](https://github…
-
Hi,
Could I please ask how one would retrieve the scorecard data for projects that exist within GitLab subgroups?
**Example:**
For project https://gitlab.com/gitlab-org/ruby/gems/gitlab-triag…
-
# Proposal
Hello, I'm working on behalf of Google and the [Open Source Security Foundation][ossf] (OpenSSF) to help open-source projects improve their supply-chain security. Given kind-of project imp…
-
| Attribute | Implmented? |
|---|---|
| Security Insights Verified | |
| Open Source Project (Y/N) | |
| Open Source Foundation (CNCF, Apache, CDF) | |
| License File | |
| Readme File | |
| …
-
When you look at [`ion-java` in Maven Central](https://central.sonatype.com/artifact/com.amazon.ion/ion-java) you can see that the project is assigned a safety rating of 5/10.
Reading from the [Ho…
-
### New feature motivation
Since semantic-release is not currently detected as a valid automated workflow packaging tool, projects publishing with it currently receive a low score for the "Packaging"…
-
- [ ] use [Harden Runner](https://github.com/step-security/harden-runner) in all GH workflows
- [ ] use hashes instead of versions in GH workflows
- [ ] add [OpenSSF Scorecard](https://github.com/os…
alpe updated
9 months ago
-
As a subgroup of OpenSSF, we must think about security first and foremost. I am recommending creating a standard for all of SLSA repositories, builds, and scanning. I know we won't get here overnigh…