Open david-a-wheeler opened 1 year ago
Stale issue message - this issue will be closed in 7 days
Note that the Hipcheck team are interested in this: https://github.com/mitre/hipcheck/commit/43723903d66cd722c3d7e25265fdcc29b98b537d
This issue is stale because it has been open for 60 days with no activity.
In October I briefly looked at MITRE's Hipcheck v3.1.0-alpha.0 and tried to map it to an existing Scorecard check. The understanding of Hipcheck analyses comes from their documentation summary here.
These analyses don’t have a comparable check in Scorecard. Some could be implemented now, some require better git support in Scorecard, and some would be API intensive but doable.
These analyses do similar things to a Scorecard check, but the semantics differ.
These analyses are generally a direct match to an existing Scorecard check. While there may be some differences in detection or scoring, these are already considered part of Scorecard.
@spencerschrock @afmarcum and others: From our Jan 25 meeting, we said we'd close this one as it's "already done."
I imagine there may be derivative issues and/or PRs generated eventually from this.
I think any relevant derivative issues would still need to be opened first, based on the analysis.
This issue has been marked stale because it has been open for 60 days with no activity.
Is your feature request related to a problem? Please describe.
MITRE's hipcheck attempts to analyze OSS to measure security, with a concept similar to Scorecard. I expect that hipcheck has some capabilities not currently in Scorecard.
Describe the solution you'd like
Review of hipcheck criteria and code to see what can be gleaned from it. hipcheck is released under Apache-2.0.
\I imagine there may be derivative issues and/or PRs generated eventually from this.