Open laurentsimon opened 2 years ago
cc @di
filed https://github.com/trailofbits/pip-audit/issues/198 to ask whether they are interested in creating a GitHub action for it.
cc @naveensrinivasan @azeemsgoogle @oliverchang @chrismcgehee
I found an API to check for it for dependabot https://github.com/google/go-github/blob/85425ec5f1e4118be4b578e5b6ad07f9ea32cf5f/github/repos.go#L601
I found an API to check for it for dependabot https://github.com/google/go-github/blob/85425ec5f1e4118be4b578e5b6ad07f9ea32cf5f/github/repos.go#L601
That is cool!
should this be its own check or inside Dependency-Update-Tool?
IMO no. Probably good for discussion.
@rarkins what do we need to do to detect that dep security alerts are enabled in renovatebot?
Dependency security alerts don't need explicit enabling in Renovate Bot repository config. If the bot's token has been granted access to the vulnerabilities feed then they'll be automatically used. This is currently the case for renovate[bot]
but has been accidentally missing for forking-renovate[bot]
until now but has now been requested to all org admins.
Thanks. So we'll assume renovatebot has this enabled by default.
This issue is stale because it has been open for 60 days with no activity.
Most package managers have a *-audit tool: pip-audit, cargo-audit, npm-audit, etc. that pull security advisories from public databases (OSV, CVEs, package-specific databases, etc) Dependabot and renovabot also have options to alerts uses when vulnerabilities in their dependencies are disclosed.
It would be useful to capture this in scorecard. This could live under Dependency-Update-Tool (which we could rename to Dependency-Management-Tool).
For commands, we may need to parse commands in
run
field of GH workflows, as suggested in https://github.com/ossf/scorecard/issues/1031#issuecomment-967352430, unless there is a GitHub action for it.Note that we already parse commands for the Pinned-Dependency check but we have not yet separated out command parsing https://github.com/ossf/scorecard/issues/1220