Improve Score Reporting: Deps-Update-Tool should check for tool activity

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source

https://scorecard.dev

Apache License 2.0

4.47k stars 489 forks source link

Improve Score Reporting: Deps-Update-Tool should check for tool activity #2165

Open azeemshaikh38 opened 2 years ago

azeemshaikh38 commented 2 years ago

Is looking for the presence of a config enough of an evidence to rate a repository at 10? Should we maybe tighten this check a bit more and make sure that there have been recent commits by these tools?

laurentsimon commented 2 years ago

I think we used to have a tracking issue for this - I can't find it so maybe not :) One reason we postponed implementation was because it's not clear how often a PR could be expected to be merged. This depends on repo activity, for example. Since scorecard checks for 30 commits, there is a risk that the results would oscillate between different scores, depending on whether we find a PR or not.

github-actions[bot] commented 5 months ago

This issue has been marked stale because it has been open for 60 days with no activity.

justaugustus commented 4 months ago

Consider how this interacts with bug report in https://github.com/ossf/scorecard/issues/2845

github-actions[bot] commented 2 months ago

This issue has been marked stale because it has been open for 60 days with no activity.