Open Juee14Desai opened 6 days ago
OSSF scorecard has 1/10 score for pinned-dependencies. To increase this score all dependencies have to be pinned by hash.
OSSF help suggests using StepSecurity Tool to update the dependency. For more information: https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#pinned-dependencies
To check the list of dependencies flagged in report, go to Pinned-Dependencies section: https://securityscorecards.dev/viewer/?uri=github.com/ofiwg/libfabric
Would it affect how dependabot works?
OSSF scorecard has 1/10 score for pinned-dependencies. To increase this score all dependencies have to be pinned by hash.
OSSF help suggests using StepSecurity Tool to update the dependency. For more information: https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#pinned-dependencies
To check the list of dependencies flagged in report, go to Pinned-Dependencies section: https://securityscorecards.dev/viewer/?uri=github.com/ofiwg/libfabric