-
We use this library in http://github.com/ossf/scorecard which is part of the https://openssf.org. This is critical for the project and would be good to have it integrated with oss-fuzz to find vulnera…
-
To start thinking of our next step towards v4 release, let's write some ideas in this issue. We're thinking of v4 release for EOY 2021.
We can talk about them during next scorecard meeting, create …
-
The proposal is to generate [SBOM](https://www.ntia.gov/SBOM) for `gcr.io/openssf/scorecard` and sign the docker image and the SBOM with [cosign](https://github.com/sigstore/cosign)
## SBOM
A “S…
-
**Description**
I am opening this to ask if there's a contributor ladder defined for sigstore.
How do I become an org member?
I would be happy to help do PR's reviews here, hoping to work to…
-
_Originally suggested by @mgjeong (https://github.com/lf-edge/edge-home-orchestration-go/pull/193#issuecomment-742469991)_
We need to establish the principle in adopting analysis tools for security…
-
The Core Infrastructure Initiative (CII) has been merged into the Open Source Security Foundation (OpenSSF), and the badging project is part of the OpenSSF Best Practices WG. It would be sensible to r…
-
As discussed during the last TAC, sigstore is interested in joining the OpenSSF as a project. This issue is to facilitate discussions within the TAC.
sigstore is an open source answer to software s…
-
This is mostly inspired by https://github.com/google/oss-fuzz/issues/6836
I agree with @jonathanmetzman that it doesn't make much sense to point CIFuzz to anything other than the master branch (in …
-
**Describe the bug**
I took a sample of 300+ repositories and Branch-Protection is failing in all of them. Are we sure this check is working?
This is failing for `scorecard` also
```SELECT h.C…
-
**Describe the bug**
One of scorecard requirements is "frozen dependencies". In Ruby applications, including Rails, frozen dependencies are implemented via a `Gemfile.lock` file. However, such Ruby a…