-
### What's the problem this feature will solve?
Hi, I work on behalf of Google and OpenSSF to help Open Source Projects to improve their Supply Chain Security.
I saw this interesting PR https://gi…
-
As discussed on today's (3/1/23) phone call, I'm putting together a paper with the default compiler options used by each independent Linux distro.
https://docs.google.com/document/d/1QGyDVgu0bGdKkd…
-
I would like to suggest setting the permissions to the github workflows (the build.yml file) as read only on the [top level](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-gith…
-
Adding a Security Policy is important to provide guidance on how users can report potential vulnerabilities and communicate when vulnerabilities will be confirmed, fixed and disclosed to the public.
…
-
Hi!
I'm here to suggest that you set minimal permissions to your GitHub Workflows, because currently they don't specify the permissions for their jobs and their privileges are being determined by G…
-
One of the recommendations we're getting from the OpenSSF Scorecard is that we pin all the github actions workflows we're using using hashes instead of version tags (because tags could be changed but …
-
# Suggestion
## 🔍 Search Terms
ossf, openssf, scorecard, scorecards
## ✅ Viability Checklist
My suggestion meets these guidelines:
* [x] This wouldn't be a breaking change in …
-
**Is your feature request related to a problem? Please describe.**
This feature request is related to a security improvement in order to avoid some types of supply-chain attacks. The GitHub workflows…
-
Referencing actions by commit SHA in GitHub workflows, guarantees you are using an immutable version. Actions referenced by tags and branches are vulnerable to attacks, such as the tag being moved to …
-
Hello!
There are changes in your OpenSSF Scorecard report.
Please review the following changes and take action if necessary.
## Summary
There are changes in the following repositories:
| Repos…