Open bnevis-i opened 1 year ago
The idea is to make sure that we are following open source security best practices as much as possible.
$ docker run -e GITHUB_AUTH_TOKEN=`cat .github` gcr.io/openssf/scorecard:stable --repo github.com/edgexfoundry/edgex-go Starting [CII-Best-Practices] Starting [Security-Policy] Starting [Dependency-Update-Tool] Starting [Contributors] Starting [Maintained] Starting [License] Starting [Dangerous-Workflow] Starting [Branch-Protection] Starting [CI-Tests] Starting [Token-Permissions] Starting [Code-Review] Starting [SAST] Starting [Packaging] Starting [Pinned-Dependencies] Starting [Binary-Artifacts] Starting [Signed-Releases] Starting [Fuzzing] Starting [Vulnerabilities] RESULTS ------- Aggregate score: 7.9 / 10 Check scores: Finished [Binary-Artifacts] Finished [SAST] Finished [Packaging] Finished [Pinned-Dependencies] Finished [Vulnerabilities] Finished [Signed-Releases] Finished [Fuzzing] Finished [License] Finished [CII-Best-Practices] Finished [Security-Policy] Finished [Dependency-Update-Tool] Finished [Contributors] Finished [Maintained] Finished [Code-Review] Finished [Dangerous-Workflow] Finished [Branch-Protection] Finished [CI-Tests] Finished [Token-Permissions] |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#binary-artifacts | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 8 / 10 | Branch-Protection | branch protection is not | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#branch-protection | | | | maximal on development and all | | | | | release branches | | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | CI-Tests | 26 out of 26 merged PRs | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#ci-tests | | | | checked by a CI test -- score | | | | | normalized to 10 | | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 0 / 10 | CII-Best-Practices | no badge detected | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#cii-best-practices | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | Code-Review | 26 out of last 26 changesets | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#code-review | | | | reviewed before merge -- score | | | | | normalized to 10 | | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | Contributors | 21 different organizations | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#contributors | | | | found -- score normalized to | | | | | 10 | | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#dangerous-workflow | | | | detected | | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | Dependency-Update-Tool | update tool detected | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#dependency-update-tool | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 0 / 10 | Fuzzing | project is not fuzzed | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#fuzzing | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | License | license file detected | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#license | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | Maintained | 30 commit(s) out of 30 and 22 | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#maintained | | | | issue activity out of 30 found | | | | | in the last 90 days -- score | | | | | normalized to 10 | | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | ? | Packaging | no published package detected | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#packaging | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 5 / 10 | Pinned-Dependencies | dependency not pinned by hash | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#pinned-dependencies | | | | detected -- score normalized | | | | | to 5 | | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | SAST | SAST tool is run on all | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#sast | | | | commits | | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | Security-Policy | security policy file detected | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#security-policy | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#signed-releases | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 0 / 10 | Token-Permissions | non read-only tokens detected | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#token-permissions | | | | in GitHub workflows | | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | Vulnerabilities | no vulnerabilities detected | https://github.com/ossf/scorecard/blob/c61f6bc297ee71dc4b5f2511144d6c031b946089/docs/checks.md#vulnerabilities | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
The idea is to make sure that we are following open source security best practices as much as possible.