-
### Is there an existing issue for this?
- [X] I have searched the existing issues
### Feature description
It's a common practice to declare the use of actions using just the major version, as in `…
l0b0 updated
10 months ago
-
Hello!
There are changes in your OpenSSF Scorecard report.
Please review the following changes and take action if necessary.
## Summary
There are changes in the following repositories:
| Repos…
-
**Is your feature request related to a problem? Please describe.**
I recently found myself running Scorecard on a number of related repos and reporting on the result. For each project I also found …
torgo updated
12 months ago
-
MVSR (Mission, Vision, Strategy, Roadmap)[1] is a tool that helps provide a consistent way of expressing our goals and efforts across the foundation. All working groups have been asked to express the…
-
Set minimum permissions to workflows is important to keep your repository safe against supply-chain attacks. GitHub gives a GITHUB_TOKEN for workflows to perform actions. The problem is that [GITHUB_T…
-
Recently, OpenSSF introduced a `scorecard`, which gives a score to each package.
How about we give the score to each package that we analyze and include that score in the final report?
-
## Description
I would like to also suggest a security practice recommended by the [OpenSSF Scorecard][scorecard-repo] which is to hash pin dependencies to prevent dependency-confusion, typosquatti…
-
Flagging supply-chain security issues is important for you to be aware of where your repository is vulnerable to these attacks and act upon it. Supply-chain attacks aim for your development, build and…
-
Referencing actions by commit SHA in GitHub workflows guarantees you are using an immutable version. Actions referenced by tags and branches are more vulnerable to attacks, such as the tag being moved…
-
## Description
Hi again (related issue #360), I'd like to suggest another security practice recommended by the [OpenSSF Scorecard][scorecard-repo] and the [GitHub itself][github-hashpin] which is t…