ivankatliarchuk
commented
2 months ago current result docker run -e GITHUB_AUTH_TOKEN=$TOKEN gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/kubernetes/autoscaler
Aggregate score: 6.7 / 10
Check scores:
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10 | Branch-Protection | branch protection is not | Info: 'allow deletion' disabled | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#branch-protection |
| | | maximal on development and all | on branch 'master' Info: 'allow | |
| | | release branches | deletion' disabled on branch | |
| | | | 'cluster-autoscaler-release-1.30' | |
| | | | Info: 'allow deletion' | |
| | | | disabled on branch | |
| | | | 'cluster-autoscaler-release-1.29' | |
| | | | Info: 'allow deletion' | |
| | | | disabled on branch | |
| | | | 'cluster-autoscaler-release-1.28' | |
| | | | Info: 'allow deletion' | |
| | | | disabled on branch | |
| | | | 'cluster-autoscaler-release-1.27' | |
| | | | Info: 'allow deletion' | |
| | | | disabled on branch | |
| | | | 'addon-resizer-release-1.8' | |
| | | | Info: 'allow deletion' | |
| | | | disabled on branch | |
| | | | 'cluster-autoscaler-release-1.26' | |
| | | | Info: 'force pushes' disabled | |
| | | | on branch 'master' Info: 'force | |
| | | | pushes' disabled on branch | |
| | | | 'cluster-autoscaler-release-1.30' | |
| | | | Info: 'force pushes' | |
| | | | disabled on branch | |
| | | | 'cluster-autoscaler-release-1.29' | |
| | | | Info: 'force pushes' | |
| | | | disabled on branch | |
| | | | 'cluster-autoscaler-release-1.28' | |
| | | | Info: 'force pushes' | |
| | | | disabled on branch | |
| | | | 'cluster-autoscaler-release-1.27' | |
| | | | Info: 'force pushes' | |
| | | | disabled on branch | |
| | | | 'addon-resizer-release-1.8' Info: | |
| | | | 'force pushes' disabled on branch | |
| | | | 'cluster-autoscaler-release-1.26' | |
| | | | Warn: branch 'master' does not | |
| | | | require approvers Warn: branch | |
| | | | 'cluster-autoscaler-release-1.30' | |
| | | | does not require | |
| | | | approvers Warn: branch | |
| | | | 'cluster-autoscaler-release-1.29' | |
| | | | does not require | |
| | | | approvers Warn: branch | |
| | | | 'cluster-autoscaler-release-1.28' | |
| | | | does not require | |
| | | | approvers Warn: branch | |
| | | | 'cluster-autoscaler-release-1.27' | |
| | | | does not require | |
| | | | approvers Warn: branch | |
| | | | 'addon-resizer-release-1.8' | |
| | | | does not require | |
| | | | approvers Warn: branch | |
| | | | 'cluster-autoscaler-release-1.26' | |
| | | | does not require approvers | |
| | | | Warn: codeowners review is not | |
| | | | required on branch 'master' | |
| | | | Warn: codeowners review | |
| | | | is not required on branch | |
| | | | 'cluster-autoscaler-release-1.30' | |
| | | | Warn: codeowners review | |
| | | | is not required on branch | |
| | | | 'cluster-autoscaler-release-1.29' | |
| | | | Warn: codeowners review | |
| | | | is not required on branch | |
| | | | 'cluster-autoscaler-release-1.28' | |
| | | | Warn: codeowners review | |
| | | | is not required on branch | |
| | | | 'cluster-autoscaler-release-1.27' | |
| | | | Warn: codeowners review | |
| | | | is not required on branch | |
| | | | 'addon-resizer-release-1.8' | |
| | | | Warn: codeowners review | |
| | | | is not required on branch | |
| | | | 'cluster-autoscaler-release-1.26' | |
| | | | Info: status check found | |
| | | | to merge onto on branch | |
| | | | 'master' Info: status check | |
| | | | found to merge onto on branch | |
| | | | 'cluster-autoscaler-release-1.30' | |
| | | | Info: status check found | |
| | | | to merge onto on branch | |
| | | | 'cluster-autoscaler-release-1.29' | |
| | | | Info: status check found | |
| | | | to merge onto on branch | |
| | | | 'cluster-autoscaler-release-1.28' | |
| | | | Info: status check found | |
| | | | to merge onto on branch | |
| | | | 'cluster-autoscaler-release-1.27' | |
| | | | Info: status check found | |
| | | | to merge onto on branch | |
| | | | 'addon-resizer-release-1.8' | |
| | | | Info: status check found | |
| | | | to merge onto on branch | |
| | | | 'cluster-autoscaler-release-1.26' | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests | 10 out of 10 merged PRs | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#ci-tests |
| | | checked by a CI test -- score | |
| | | normalized to 10 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Code-Review | all changesets reviewed | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#code-review |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 24 contributing | Info: cloudfoundry-incubator | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#contributors |
| | | companies or organizations | contributor org/company | |
| | | | found, made-in-mim contributor | |
| | | | org/company found, cohere-ai | |
| | | | contributor org/company | |
| | | | found, shouting at cloud | |
| | | | contributor org/company | |
| | | | found, kubernetes contributor | |
| | | | org/company found, trinodb | |
| | | | contributor org/company found, | |
| | | | kubernetes @microsoft @azure | |
| | | | contributor org/company found, | |
| | | | sap-cloudfoundry contributor | |
| | | | org/company found, gardener | |
| | | | contributor org/company | |
| | | | found, skyscanner contributor | |
| | | | org/company found, red hat | |
| | | | contributor org/company found, | |
| | | | heni-project contributor | |
| | | | org/company found, google | |
| | | | contributor org/company found, | |
| | | | starburstdata contributor | |
| | | | org/company found, Azure | |
| | | | contributor org/company | |
| | | | found, sap contributor | |
| | | | org/company found, Skyscanner | |
| | | | contributor org/company | |
| | | | found, GoogleCloudPlatform | |
| | | | contributor org/company | |
| | | | found, kubernetes-sigs | |
| | | | contributor org/company found, | |
| | | | SAP contributor org/company | |
| | | | found, DataDog contributor | |
| | | | org/company found, googlers | |
| | | | contributor org/company | |
| | | | found, microsoft contributor | |
| | | | org/company found, datadog | |
| | | | contributor org/company found, | |
| | | | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#license |
| | | | file: LICENSE:0 Info: FSF or | |
| | | | OSI recognized license: Apache | |
| | | | License 2.0: LICENSE:0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained | 30 commit(s) and 2 issue | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 10 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | Info: Possibly incomplete results: error parsing shell code: > must be followed by | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | a word: cluster-autoscaler/cloudprovider/hetzner/examples/cloud-init.txt:0 Info: | |
| | | to 0 | Possibly incomplete results: error parsing shell code: > must be followed by a word: | |
| | | | cluster-autoscaler/cloudprovider/kamatera/examples/server-init-kubeadm.sh.txt:0 Warn: GitHub-owned | |
| | | | GitHubAction not pinned by hash: .github/workflows/ci.yaml:18: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/ci.yaml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:22: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/ci.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr.yaml:14: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/pr.yaml/master?enable=pin | |
| | | | Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yaml:16: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/pr.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr.yaml:31: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/pr.yaml/master?enable=pin | |
| | | | Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yaml:35: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/pr.yaml/master?enable=pin | |
| | | | Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yaml:48: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/pr.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr.yaml:60: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/pr.yaml/master?enable=pin | |
| | | | Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yaml:62: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/pr.yaml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:11: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/release.yaml/master?enable=pin | |
| | | | Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:21: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/release.yaml/master?enable=pin | |
| | | | Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:29: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/kubernetes/autoscaler/release.yaml/master?enable=pin | |
| | | | Warn: containerImage not pinned by hash: addon-resizer/Dockerfile:15 Warn: containerImage not pinned | |
| | | | by hash: balancer/Dockerfile:1: pin your Docker image by updating gcr.io/distroless/static:latest to | |
| | | | gcr.io/distroless/static:latest@sha256:ce46866b3a5170db3b49364900fb3168dc0833dfb46c26da5c77f22abb01d8c3 | |
| | | | Warn: containerImage not pinned by hash: builder/Dockerfile:15: pin your Docker image by updating | |
| | | | golang:1.22.2 to golang:1.22.2@sha256:d5302d40dc5fbbf38ec472d1848a9d2391a13f93293a6a5b0b87c99dc0eaa6ae | |
| | | | Warn: containerImage not pinned by hash: cluster-autoscaler/Dockerfile.amd64:15 Warn: | |
| | | | containerImage not pinned by hash: cluster-autoscaler/Dockerfile.arm64:15 Warn: containerImage | |
| | | | not pinned by hash: cluster-autoscaler/Dockerfile.s390x:15 Warn: containerImage not pinned by | |
| | | | hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.golang-tip:4: | |
| | | | pin your Docker image by updating buildpack-deps:buster-scm to | |
| | | | buildpack-deps:buster-scm@sha256:17f1d5354613314ba0e249292483a3a3f13434bee5dea58a61e338e11f4bcacc | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.10:1: | |
| | | | pin your Docker image by updating golang:1.10 to | |
| | | | golang:1.10@sha256:6d5e79878a3e4f1b30b7aa4d24fb6ee6184e905a9b172fc72593935633be4c46 Warn: containerImage not | |
| | | | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.11:1: | |
| | | | pin your Docker image by updating golang:1.11 to | |
| | | | golang:1.11@sha256:e972c78795b22d5cfab02ac410aa2305fcc036319a7af51065d1af583cd3ec04 Warn: containerImage not | |
| | | | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.12:1: | |
| | | | pin your Docker image by updating golang:1.12 to | |
| | | | golang:1.12@sha256:d0e79a9c39cdb3d71cc45fec929d1308d50420b79201467ec602b1b80cc314a8 Warn: containerImage not | |
| | | | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.13:1: | |
| | | | pin your Docker image by updating golang:1.13 to | |
| | | | golang:1.13@sha256:8ebb6d5a48deef738381b56b1d4cd33d99a5d608e0d03c5fe8dfa3f68d41a1f8 Warn: containerImage not | |
| | | | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.14:1: | |
| | | | pin your Docker image by updating golang:1.14 to | |
| | | | golang:1.14@sha256:1a7173b5b9a3af3e29a5837e0b2027e1c438fd1b83bbee8f221355087ad416d6 Warn: containerImage not | |
| | | | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.15:1: | |
| | | | pin your Docker image by updating golang:1.15 to | |
| | | | golang:1.15@sha256:ea080cc817b02a946461d42c02891bf750e3916c52f7ea8187bccde8f312b59f Warn: containerImage not | |
| | | | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.16:1: | |
| | | | pin your Docker image by updating golang:1.16 to | |
| | | | golang:1.16@sha256:5f6a4662de3efc6d6bb812d02e9de3d8698eea16b8eb7281f03e6f3e8383018e Warn: containerImage not | |
| | | | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.17:1: | |
| | | | pin your Docker image by updating golang:1.17 to | |
| | | | golang:1.17@sha256:87262e4a4c7db56158a80a18fefdc4fee5accc41b59cde821e691d05541bbb18 Warn: containerImage not | |
| | | | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.18:1: | |
| | | | pin your Docker image by updating golang:1.18 to | |
| | | | golang:1.18@sha256:50c889275d26f816b5314fc99f55425fa76b18fcaf16af255f5d57f09e1f48da Warn: containerImage not | |
| | | | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.19:1: | |
| | | | pin your Docker image by updating golang:1.19 to | |
| | | | golang:1.19@sha256:3025bf670b8363ec9f1b4c4f27348e6d9b7fec607c47e401e40df816853e743a Warn: containerImage not | |
| | | | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.5:1: | |
| | | | pin your Docker image by updating golang:1.5 to | |
| | | | golang:1.5@sha256:3be07b667a868a246b9cee4ddc5ecce2ad1e211958bd6043a25fc1d19d55e6ba Warn: containerImage not | |
| | | | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.6:1: | |
| | | | pin your Docker image by updating golang:1.6 to | |
| | | | golang:1.6@sha256:29116f0f6cd2ef6a882639ee222ccb6e2f6d88a1d97d461aaf4c4a2622d252a1 Warn: containerImage not | |
| | | | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.7:1: | |
| | | | pin your Docker image by updating golang:1.7 to | |
| | | | golang:1.7@sha256:93b2b52f1212e97b6650bde1f20f6a359b08c117c57a848970d615fe88623a3d Warn: containerImage not | |
| | | | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.8:1: | |
| | | | pin your Docker image by updating golang:1.8 to | |
| | | | golang:1.8@sha256:f0b5dab7581eddb49dabd1d1b9aa505ca3edcdf79a66395b5bfa4f3c036b49ef Warn: containerImage not | |
| | | | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.go1.9:1: | |
| | | | pin your Docker image by updating golang:1.9 to | |
| | | | golang:1.9@sha256:8b5968585131604a92af02f5690713efadf029cc8dad53f79280b87a80eb1354 Warn: containerImage not | |
| | | | pinned by hash: cluster-autoscaler/cloudprovider/aws/aws-sdk-go/awstesting/sandbox/Dockerfile.test.gotip:1 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | cluster-autoscaler/cloudprovider/bizflycloud/gobizfly/Dockerfile:3 Warn: containerImage not pinned by hash: | |
| | | | cluster-autoscaler/cloudprovider/bizflycloud/gobizfly/Dockerfile:20 Warn: containerImage not pinned by hash: | |
| | | | cluster-autoscaler/cloudprovider/externalgrpc/examples/external-grpc-cloud-provider-service/Dockerfile.amd64:15 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | cluster-autoscaler/cloudprovider/externalgrpc/examples/external-grpc-cloud-provider-service/Dockerfile.arm64:15 | |
| | | | Warn: containerImage not pinned by hash: vertical-pod-autoscaler/hack/e2e/Dockerfile.externalmetrics-writer:15: | |
| | | | pin your Docker image by updating python:3.10-slim to | |
| | | | python:3.10-slim@sha256:8666a639a54acc810408e505e2c6b46b50834385701675ee177f578b3d2fdef9 Warn: | |
| | | | containerImage not pinned by hash: vertical-pod-autoscaler/pkg/admission-controller/Dockerfile:15 Warn: | |
| | | | containerImage not pinned by hash: vertical-pod-autoscaler/pkg/admission-controller/Dockerfile:27: | |
| | | | pin your Docker image by updating gcr.io/distroless/static:latest to | |
| | | | gcr.io/distroless/static:latest@sha256:ce46866b3a5170db3b49364900fb3168dc0833dfb46c26da5c77f22abb01d8c3 | |
| | | | Warn: containerImage not pinned by hash: vertical-pod-autoscaler/pkg/recommender/Dockerfile:15 | |
| | | | Warn: containerImage not pinned by hash: vertical-pod-autoscaler/pkg/recommender/Dockerfile:27: | |
| | | | pin your Docker image by updating gcr.io/distroless/static:latest to | |
| | | | gcr.io/distroless/static:latest@sha256:ce46866b3a5170db3b49364900fb3168dc0833dfb46c26da5c77f22abb01d8c3 | |
| | | | Warn: containerImage not pinned by hash: vertical-pod-autoscaler/pkg/updater/Dockerfile:15 | |
| | | | Warn: containerImage not pinned by hash: vertical-pod-autoscaler/pkg/updater/Dockerfile:27: | |
| | | | pin your Docker image by updating gcr.io/distroless/static:latest to | |
| | | | gcr.io/distroless/static:latest@sha256:ce46866b3a5170db3b49364900fb3168dc0833dfb46c26da5c77f22abb01d8c3 | |
| | | | Warn: goCommand not pinned by hash: builder/Dockerfile:24 Warn: pipCommand not pinned by hash: | |
| | | | vertical-pod-autoscaler/hack/e2e/Dockerfile.externalmetrics-writer:16 Warn: goCommand not pinned by hash: | |
| | | | addon-resizer/vendor/github.com/googleapis/gnostic/extensions/COMPILE-EXTENSION.sh:1 Warn: goCommand not | |
| | | | pinned by hash: addon-resizer/vendor/github.com/json-iterator/go/build.sh:10 Warn: goCommand not pinned by | |
| | | | hash: hack/install-verify-tools.sh:23 Warn: goCommand not pinned by hash: hack/install-verify-tools.sh:25 | |
| | | | Warn: goCommand not pinned by hash: hack/install-verify-tools.sh:27 Warn: goCommand not pinned by hash: | |
| | | | vertical-pod-autoscaler/e2e/vendor/github.com/json-iterator/go/build.sh:10 Warn: goCommand not pinned by | |
| | | | hash: vertical-pod-autoscaler/e2e/vendor/google.golang.org/grpc/regenerate.sh:35 Warn: goCommand not pinned | |
| | | | by hash: vertical-pod-autoscaler/e2e/vendor/google.golang.org/grpc/vet.sh:37 Warn: goCommand not pinned by | |
| | | | hash: vertical-pod-autoscaler/vendor/github.com/json-iterator/go/build.sh:10 Info: 0 out of 6 GitHub-owned | |
| | | | GitHubAction dependencies pinned Info: 0 out of 6 third-party GitHubAction dependencies pinned Info: 0 | |
| | | | out of 34 containerImage dependencies pinned Info: 5 out of 15 goCommand dependencies pinned Info: 0 out | |
| | | | of 1 pipCommand dependencies pinned | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | SAST tool is not run on all | Warn: 0 commits out of 30 are | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#sast |
| | | commits -- score normalized to | checked with a SAST tool | |
| | | 0 | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy | security policy file detected | Info: security policy file detected: | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#security-policy |
| | | | github.com/kubernetes/.github/SECURITY.md:1 | |
| | | | Info: Found linked content: | |
| | | | github.com/kubernetes/.github/SECURITY.md:1 | |
| | | | Info: Found disclosure, vulnerability, | |
| | | | and/or timelines in security policy: | |
| | | | github.com/kubernetes/.github/SECURITY.md:1 | |
| | | | Info: Found text in security policy: | |
| | | | github.com/kubernetes/.github/SECURITY.md:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Token-Permissions | GitHub workflow tokens follow | Info: jobLevel 'contents' | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#token-permissions |
| | | principle of least privilege | permission set to 'read': | |
| | | | .github/workflows/pr.yaml:7 | |
| | | | Info: jobLevel 'pull-requests' | |
| | | | permission set to 'read': | |
| | | | .github/workflows/pr.yaml:8 | |
| | | | Warn: jobLevel 'contents' | |
| | | | permission set to 'write': | |
| | | | .github/workflows/release.yaml:7 | |
| | | | Info: topLevel 'contents' | |
| | | | permission set to 'read': | |
| | | | .github/workflows/ci.yaml:11 | |
| | | | Info: topLevel 'contents' | |
| | | | permission set to 'read': | |
| | | | .github/workflows/pr.yaml:2 | |
| | | | Info: topLevel 'contents' | |
| | | | permission set to 'read': | |
| | | | .github/workflows/release.yaml:2 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Vulnerabilities | 22 existing vulnerabilities | Warn: Project is vulnerable | https://github.com/ossf/scorecard/blob/07ff61e6a0a6221599810109e045f96566f1cc3f/docs/checks.md#vulnerabilities |
| | | detected | to: GHSA-69cg-p879-7622 | |
| | | | / GO-2022-0969 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-fxg5-wq6x-vr4w | |
| | | | / GO-2023-1495 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-xrjj-mj9h-534m | |
| | | | / GO-2022-1144 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-vvpx-j8f3-3w6h | |
| | | | / GO-2023-1571 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-2wrh-6pvc-2jm9 | |
| | | | / GO-2023-1988 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-4374-p667-p6c8 | |
| | | | / GO-2023-2102 Warn: | |
| | | | Project is vulnerable to: | |
| | | | GHSA-qppj-fm5r-hxr3 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-4v7x-pqxf-cx7m | |
| | | | / GO-2024-2687 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-69ch-w2m2-3vjp | |
| | | | / GO-2022-1059 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-8r3f-844c-mc37 | |
| | | | / GO-2024-2611 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-v23v-6jw2-98fq | |
| | | | / GO-2024-3005 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-m5vv-6r4h-3vj9 / | |
| | | | GO-2024-2918 Warn: Project is | |
| | | | vulnerable to: GO-2022-0646 | |
| | | | Warn: Project is vulnerable | |
| | | | to: GHSA-rcjv-mgp8-qvmr | |
| | | | / GO-2023-2113 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-6xv5-86q9-7xr8 | |
| | | | / GO-2023-2048 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-xr7r-f8xq-vfvv | |
| | | | / GO-2024-2491 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-8pgv-569h-w5rw | |
| | | | / GO-2023-2331 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-45x7-px36-x8w8 | |
| | | | / GO-2023-2402 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-m425-mq94-257g | |
| | | | / GO-2023-2153 Warn: | |
| | | | Project is vulnerable to: | |
| | | | GHSA-hq6q-c2x6-hmch Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-pxhw-596r-rwq5 | |
| | | | / GO-2024-2746 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GHSA-82m2-cv7p-4m75 / | |
| | | | GO-2024-2994 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
What would you like to be added:
Example helm https://github.com/helm/helm/issues/13243
Example coredns https://github.com/coredns/coredns/blob/master/.github/workflows/scorecards.yml
OpenSSFF Scorecard https://scorecard.dev/viewer/?uri=github.com/kubernetes/autoscaler
Add github action https://github.com/ossf/scorecard-action
Maintainters need to add PAT token https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Why is this needed:
This project is a collaborative effort between the CNCF and Google's Open Source Security Team to improve security practices across various CNCF projects. The focus is identifying and addressing security vulnerabilities, integrating security tools like OSS-Fuzz, and enhancing build and release security processes. The goal is to get all CNCF projects to use scorecards (focusing on graduated/incubating projects first) and to remediate some of the findings.
Scorecards