Address results of `scorecard` report

[justaugustus]

I've run an initial scorecard report against the repo and sharing the results here:

{
  "date": "2022-11-16",
  "repo": {
    "name": "github.com/openclarity/functionclarity",
    "commit": "a83dce9b6d5ca5eb8c39a9aa6f491ae973669a5f"
  },
  "scorecard": {
    "version": "v4.8.0-64-ge10b6fb",
    "commit": "e10b6fbb8d155ecce73ff0d8e935ace07aecb04a"
  },
  "score": 5.3,
  "checks": [
    {
      "details": null,
      "score": 10,
      "reason": "no binaries found in the repo",
      "name": "Binary-Artifacts",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#binary-artifacts",
        "short": "Determines if the project has generated executable (binary) artifacts in the source repository."
      }
    },
    {
      "details": [
        "Info: 'force pushes' disabled on branch 'main'",
        "Info: 'allow deletion' disabled on branch 'main'",
        "Info: settings apply to administrators on branch 'main'",
        "Info: status checks require up-to-date branches for 'main'",
        "Info: status check found to merge onto on branch 'main'",
        "Warn: number of required reviewers is only 1 on branch 'main'",
        "Warn: Stale review dismissal disabled on branch 'main'",
        "Warn: codeowner review is not required on branch 'main'"
      ],
      "score": 8,
      "reason": "branch protection is not maximal on development and all release branches",
      "name": "Branch-Protection",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#branch-protection",
        "short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
      }
    },
    {
      "details": null,
      "score": 9,
      "reason": "24 out of 25 merged PRs checked by a CI test -- score normalized to 9",
      "name": "CI-Tests",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#ci-tests",
        "short": "Determines if the project runs tests before pull requests are merged."
      }
    },
    {
      "details": null,
      "score": 0,
      "reason": "no badge detected",
      "name": "CII-Best-Practices",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#cii-best-practices",
        "short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
      }
    },
    {
      "details": null,
      "score": 9,
      "reason": "25 out of last 26 changesets reviewed before merge -- score normalized to 9",
      "name": "Code-Review",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#code-review",
        "short": "Determines if the project requires code review before pull requests (aka merge requests) are merged."
      }
    },
    {
      "details": [
        "Info: contributors work for "
      ],
      "score": 0,
      "reason": "0 different organizations found -- score normalized to 0",
      "name": "Contributors",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#contributors",
        "short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "no dangerous workflow patterns detected",
      "name": "Dangerous-Workflow",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#dangerous-workflow",
        "short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
      }
    },
    {
      "details": [
        "Warn: Config file not detected in source location for dependabot, renovatebot, Sonatype Lift, or\n\t\t\tPyUp (Python). We recommend setting this configuration in code so it can be easily verified by others."
      ],
      "score": 0,
      "reason": "no update tool detected",
      "name": "Dependency-Update-Tool",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#dependency-update-tool",
        "short": "Determines if the project uses a dependency update tool."
      }
    },
    {
      "details": null,
      "score": 0,
      "reason": "project is not fuzzed",
      "name": "Fuzzing",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#fuzzing",
        "short": "Determines if the project uses fuzzing."
      }
    },
    {
      "details": [
        "Info: : .licensei.toml:1"
      ],
      "score": 10,
      "reason": "license file detected",
      "name": "License",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#license",
        "short": "Determines if the project has defined a license."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "26 commit(s) out of 26 and 2 issue activity out of 2 found in the last 90 days -- score normalized to 10",
      "name": "Maintained",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#maintained",
        "short": "Determines if the project is \"actively maintained\"."
      }
    },
    {
      "details": [
        "Warn: no GitHub publishing workflow detected"
      ],
      "score": -1,
      "reason": "no published package detected",
      "name": "Packaging",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#packaging",
        "short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
      }
    },
    {
      "details": [
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/openclarity/functionclarity/build.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/openclarity/functionclarity/build.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/openclarity/functionclarity/build.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/openclarity/functionclarity/build.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/openclarity/functionclarity/release.yml/main?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/openclarity/functionclarity/release.yml/main?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/openclarity/functionclarity/release.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/openclarity/functionclarity/release.yml/main?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/openclarity/functionclarity/release.yml/main?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/openclarity/functionclarity/release.yml/main?enable=pin",
        "Warn: npmCommand not pinned by hash: .github/workflows/build.yml:37",
        "Info: Dockerfile dependencies are pinned",
        "Info: no insecure (not pinned by hash) dependency downloads found in Dockerfiles",
        "Info: no insecure (not pinned by hash) dependency downloads found in shell scripts"
      ],
      "score": 7,
      "reason": "dependency not pinned by hash detected -- score normalized to 7",
      "name": "Pinned-Dependencies",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#pinned-dependencies",
        "short": "Determines if the project has declared and pinned the dependencies of its build process."
      }
    },
    {
      "details": [
        "Warn: 0 commits out of 25 are checked with a SAST tool",
        "Warn: CodeQL tool not detected"
      ],
      "score": 0,
      "reason": "SAST tool is not run on all commits -- score normalized to 0",
      "name": "SAST",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#sast",
        "short": "Determines if the project uses static code analysis."
      }
    },
    {
      "details": null,
      "score": 0,
      "reason": "security policy file not detected",
      "name": "Security-Policy",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#security-policy",
        "short": "Determines if the project has published a security policy."
      }
    },
    {
      "details": [
        "Warn: release artifact v1.0.1 does not have provenance: https://api.github.com/repos/openclarity/functionclarity/releases/78846100",
        "Warn: release artifact v1.0.1 not signed: https://api.github.com/repos/openclarity/functionclarity/releases/78846100"
      ],
      "score": 0,
      "reason": "0 out of 1 artifacts are signed or have provenance",
      "name": "Signed-Releases",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#signed-releases",
        "short": "Determines if the project cryptographically signs release artifacts."
      }
    },
    {
      "details": [
        "Warn: no topLevel permission defined: .github/workflows/build.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/openclarity/functionclarity/build.yml/main?enable=permissions",
        "Warn: no topLevel permission defined: .github/workflows/release.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/openclarity/functionclarity/release.yml/main?enable=permissions"
      ],
      "score": 0,
      "reason": "non read-only tokens detected in GitHub workflows",
      "name": "Token-Permissions",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#token-permissions",
        "short": "Determines if the project's workflows follow the principle of least privilege."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "no vulnerabilities detected",
      "name": "Vulnerabilities",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/e10b6fbb8d155ecce73ff0d8e935ace07aecb04a/docs/checks.md#vulnerabilities",
        "short": "Determines if the project has open, known unfixed vulnerabilities."
      }
    }
  ],
  "metadata": null
}

[justaugustus]

(Feel free to tag ask me questions about resolving some of these.)

[justaugustus]

(Added scorecard scanning in https://github.com/openclarity/functionclarity/pull/84)

[lelia]

This project has been publicly archived. Please visit github.com/openclarity or openclarity.io to discover our other projects!