Clarify SCA-5 is about tool-based analysis

ossf / s2c2f

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.

Other

167 stars 23 forks source link

Clarify SCA-5 is about tool-based analysis #53

Closed joshuagl closed 1 month ago

joshuagl commented 2 months ago

From the discussion in issue #48:

SCA-5 is about running tools to search for yet-to-be-discovered security issues.

Attempt to bring greater clarity to the requirement by changing the title and described benefits.

Fixes: #48