search

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.36k stars 476 forks source link

Feature: Probe whether repo has up-to-date CODEOWNERS #3931

Open raghavkaul opened 5 months ago

raghavkaul commented 5 months ago

Scorecard should have a probe for whether users in a CODEOWNERS file are still members of the org that the repo belongs to. An up-to-date CODEOWNERS file makes it easier for a contributor to know who can help with a PR or a question about the project. This could use the "Get Organization membership for user" API (which requires a PAT).

Might be a good fit for either the Contributors or Maintained checks.

References:

spencerschrock commented 5 months ago

Might be a good fit for either the Contributors or Maintained checks.

It may be better to have an "OSPO" focused category for these sort of admin required checks (like Webhooks).

whether users in a CODEOWNERS file are still members of the org that the repo belongs to

Note: I think this makes an assumption about no external collaborators. I'm guessing the GitHub OSPO didn't have these sort of scenarios.

schaeferka commented 4 months ago

I'm interested in this issue. I'm here at OpenSSF.

wbeckler commented 4 months ago

Is there a way to tell whether a repo or org is enforcing org membership for maintainer activities? Maybe the check ignores org membership where it's not enforced.

spencerschrock commented 3 months ago

Duplicate of #1554

(trying to do some issue bookkeeping)

raghavkaul commented 1 month ago

Users listed in the CODEOWNERS file should also be listed as contributors/maintainers, informing either the Contributors or Maintained check.