Closed rgreinho closed 2 years ago
rgreinho
commented
2 years ago Getting some inspiration from the ossf/scorecard project, we can see that they associate each check to a risk level: https://github.com/ossf/scorecard/blob/main/docs/checks.md.
Doing this in the CIS reference would be a good step helping to move forward with the idea of a final rating.
morwn
commented
2 years ago CIS benchmark is compliance-driven, unlike risk management - this is the reason it presents pass/fail statuses for each check and doesn't contain severity/score fields But, we still might support severity/risk indication for other guidelines feel free to add this as idea under the discussion sections
Chain-bench only provides the number of tests that passed e.g.:
Total Passed Rules: 5 out of 36, more like unit test frameworks do.While this provides a good overview, not all the checks are equal and should be weighted accordingly to generate a score for the repository. For example, using MFA should be worth more points, than defining a
SECURITY.mdfile.As a user I would like to get a score (e.g. 87%) associated to my repositories instead of simply displaying the number of tests that passed.