OpenSSF Scorecard #178
Description
I mentioned to @yuvilio (via email) that we would be striving towards maxing out OpenSSF Scorecard.
Let's be sure that while resolving #147 (specifically the deps automerge), those principles are respected (inlined for convenience):
| Name | Description | Risk Level | Token Required | Note |
|---|---|---|---|---|
| Binary-Artifacts | Is the project free of checked-in binaries? | High | PAT, GITHUB_TOKEN | |
| Branch-Protection | Does the project use Branch Protection ? | High | PAT (repo or repo> public_repo), GITHUB_TOKEN |
certain settings are only supported with a maintainer PAT |
| CI-Tests | Does the project run tests in CI, e.g. GitHub Actions, Prow? | Low | PAT, GITHUB_TOKEN | |
| CII-Best-Practices | Does the project have an OpenSSF (formerly CII) Best Practices Badge? | Low | PAT, GITHUB_TOKEN | |
| Code-Review | Does the project require code review before code is merged? | High | PAT, GITHUB_TOKEN | |
| Contributors | Does the project have contributors from at least two different organizations? | Low | PAT, GITHUB_TOKEN | |
| Dangerous-Workflow | Does the project avoid dangerous coding patterns in GitHub Action workflows? | Critical | PAT, GITHUB_TOKEN | |
| Dependency-Update-Tool | Does the project use tools to help update its dependencies? | High | PAT, GITHUB_TOKEN | |
| Fuzzing | Does the project use fuzzing tools, e.g. OSS-Fuzz? | Medium | PAT, GITHUB_TOKEN | |
| License | Does the project declare a license? | Low | PAT, GITHUB_TOKEN | |
| Maintained | Is the project at least 90 days old, and maintained? | High | PAT, GITHUB_TOKEN | |
| Pinned-Dependencies | Does the project declare and pin dependencies? | Medium | PAT, GITHUB_TOKEN | |
| Packaging | Does the project build and publish official packages from CI/CD, e.g. GitHub Publishing ? | Medium | PAT, GITHUB_TOKEN | |
| SAST | Does the project use static code analysis tools, e.g. CodeQL, LGTM (deprecated), SonarCloud? | Medium | PAT, GITHUB_TOKEN | |
| Security-Policy | Does the project contain a security policy? | Medium | PAT, GITHUB_TOKEN | |
| Signed-Releases | Does the project cryptographically sign releases? | High | PAT, GITHUB_TOKEN | |
| Token-Permissions | Does the project declare GitHub workflow tokens as read only? | High | PAT, GITHUB_TOKEN | |
| Vulnerabilities | Does the project have unfixed vulnerabilities? Uses the OSV service. | High | PAT, GITHUB_TOKEN | |
| Webhooks | Does the webhook defined in the repository have a token configured to authenticate the origins of requests? | High | maintainer PAT (admin: repo_hook or admin> read:repo_hook doc |
EXPERIMENTAL |