search

ossf / wg-metrics-and-metadata

The purpose of the Metrics & Metadata (formerly Identifying Security Threats) working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
https://openssf.org
Apache License 2.0
221 stars 42 forks source link

Metadata need by Ortelius #43

Open sbtaylor15 opened 2 months ago

sbtaylor15 commented 2 months ago
Attribute Implmented?
Security Insights Verified
Open Source Project (Y/N)
Open Source Foundation (CNCF, Apache, CDF)
License File
Readme File
OWNERS File
MAINTAINERS File
SECURITY File
Governance Doc
Contributor Doc
Code of Conduct
CLA Required
CLA URL
OpenAPI/Swagger
Repository Access Definitions as Code
Project Contact
Project Website
Project Issue Tracking
Project Documentation
Security Contact
Harassment Reporting Contac
Git Repo 2FA
SCM Repo Type
SCM Repo Url
CodeQL
Dependency Tool (Dependabot, Renovate)
Build SBOM Generation
Post Build SBOM Generation
SBOM File
SBOM Signing
SBOM Signing Method
SBOM Signing Public Key
SBOM Signing Valid
Artifact Publishing Location (PURL)
Artifact Mirrors
Artifact Signing
Artifact Signing Method
Artifact Signing Public Key
Artifact Signing Valid
Provenance
Attestation
SonarQube
VeraCode
Linting (Mega/Super Linters)
SAST
DAST
OpenSSF Scorecard
luigigubello commented 2 months ago
Attribute Implmented?
Security Insights Verified
Open Source Project (Y/N) N
Open Source Foundation (CNCF, Apache, CDF) N
License File Y
Readme File N
OWNERS File No. But you can use core-team.
MAINTAINERS File No. But you can use core-team.
SECURITY File Y
Governance Doc N
Contributor Doc Y
Code of Conduct Y
CLA Required N
CLA URL N
OpenAPI/Swagger You can use documentation.
Repository Access Definitions as Code N (?)
Project Contact Y
Project Website Youn can use project-url.
Project Issue Tracking N (good idea).
Project Documentation Y
Security Contact Y
Harassment Reporting Contac N
Git Repo 2FA N
SCM Repo Type N
SCM Repo Url N
CodeQL You can use security-testing.
Dependency Tool (Dependabot, Renovate) You can use security-testing.
Build SBOM Generation
Post Build SBOM Generation
SBOM File Y
SBOM Signing
SBOM Signing Method
SBOM Signing Public Key
SBOM Signing Valid
Artifact Publishing Location (PURL) Y
Artifact Mirrors You can use distribution-points.
Artifact Signing
Artifact Signing Method
Artifact Signing Public Key
Artifact Signing Valid
Provenance
Attestation
SonarQube You can use security-testing.
VeraCode You can use security-testing.
Linting (Mega/Super Linters) You can use security-testing.
SAST You can use security-testing.
DAST You can use security-testing.
OpenSSF Scorecard You can use security-testing.