lyndon160
commented
1 year ago The security-insights-spec (OSSF) appears to specify a template for threat modelling, perhaps the scorecard could align to this.
Open lyndon160 opened 1 year ago
lyndon160
commented
1 year ago The security-insights-spec (OSSF) appears to specify a template for threat modelling, perhaps the scorecard could align to this.
github-actions[bot]
commented
10 months ago Stale issue message - this issue will be closed in 7 days
github-actions[bot]
commented
8 months ago This issue is stale because it has been open for 60 days with no activity.
github-actions[bot]
commented
2 months ago This issue has been marked stale because it has been open for 60 days with no activity.
Is your feature request related to a problem? Please describe. The scorecard is a useful tool to 1) help maintainers follow best practice, but also 2) provide assurance for users of the software.
Currently threat modeling is not included as a check. The existence and maintenance of a threat model can be considered a best practice. It demonstrates the following:
Describe the solution you'd like Threat model becomes a new scorecard check. This would assess both a threat model's presence, as well as how frequently it is reviewed/maintained.
Additional context Whilst I see the addition of threat modeling as a value add, I can see a number of challenges to get the check working smoothly:
Despite these hurdles, I think there's value in agreeing on a file name, and assessing at least the presence of a model.
Happy to help with the implementation of this if it is deemed a worthy feature.