-
At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token perm…
-
**Describe the bug**
when running the tool on my repo https://github.com/georgettica/venv I found it doesn't find my `SECURITY.adoc` file
**Reproduction steps**
docker run -e GITHUB_AUTH_TOKEN=XX…
-
This is a part of the extended series of development for dashboard visualizations. Let this be the place where people can put their new ideas for visualizations or to voice the questions they would li…
-
Is it possible to have a custom icon for our action on the marketplace?
Currently we use a default "mic" https://github.com/marketplace/actions/ossf-scorecard-action.
The documentation at https://…
-
In Scorecard bi-weekly meeting it was brought up about the next version of the scorecard which has some bug fixes.
This is a tracking item to discuss this.
-
We use this library in http://github.com/ossf/scorecard which is part of the https://openssf.org. This is critical for the project and would be good to have it integrated with oss-fuzz to find vulnera…
-
To start thinking of our next step towards v4 release, let's write some ideas in this issue. We're thinking of v4 release for EOY 2021.
We can talk about them during next scorecard meeting, create …
-
The proposal is to generate [SBOM](https://www.ntia.gov/SBOM) for `gcr.io/openssf/scorecard` and sign the docker image and the SBOM with [cosign](https://github.com/sigstore/cosign)
## SBOM
A “S…
-
_Originally suggested by @mgjeong (https://github.com/lf-edge/edge-home-orchestration-go/pull/193#issuecomment-742469991)_
We need to establish the principle in adopting analysis tools for security…
-
The Core Infrastructure Initiative (CII) has been merged into the Open Source Security Foundation (OpenSSF), and the badging project is part of the OpenSSF Best Practices WG. It would be sensible to r…