-
On September 1st, the Open Source Security Foundation released a guide on how best to avoid security problems when using npm. We should review this and ticket any of its recommendations which make se…
-
### Problem Statement
Kyverno shows the OpenSSF scorecard passing badge but not the score.
### Solution Description
Add OpenSSF scorecard score badge:
https://openssf.org/blog/2022/09/08/sho…
-
https://deps.dev/project/github/theupdateframework%2Fpython-tuf
* expand token-permissions
* click "show details"
We're getting 0/10 on the openssf scorecard for _Token-Permissions_. I think some…
-
## Feature Request
Docker dependencies should be pinned by hash instead of a mutable tag.
```
mcr.microsoft.com/dotnet/sdk:6.0
mcr.microsoft.com/dotnet/runtime:6.0
```
Unfortunately Micro…
-
Hello, I'm working on behalf of Google and the [OpenSSF][ossf] to improve the supply-chain security of essential open-source projects. The OpenSSF is a non-profit foundation dedicated to improving the…
-
### Proposed new feature or change:
Hi, I'm Pedro and I'm working for Google and the [Open Source Security Foundation][ossf] to help essential open-source projects improve their supply-chain security…
-
**Is your feature request related to a problem? Please describe.**
Scorecards prescriptions are not refreshed properly because the current handlers use an older Scorecards dataset version.
Related t…
-
For the dependency update tool check, AFAICS it currently only checks for Dependabot/Renovate, while some projects may be using (updateCLI)[https://updatecli.io/] to do the same kind of automation. C…
-
### Description
Hello, I'm working on behalf of Google and the [Open Source Security Foundation][ossf] to help essential open-source projects improve their supply-chain security. Given how crucial PH…
-
The Scorecard Action fails for one of my projects with `500 Internal Sever Error` after what apppears to be a successful scan. This has been happening since I upgraded to v2.0.0 yesterday, prior to th…