2020-10-26 23:22:13 +03:00
# Security Scorecards
2021-01-11 21:14:06 +03:00
2021-01-07 22:40:55 +03:00
![build ](https://github.com/ossf/scorecard/workflows/build/badge.svg?branch=main )
![CodeQL ](https://github.com/ossf/scorecard/workflows/CodeQL/badge.svg?branch=main )
2021-12-28 19:15:49 +03:00
[![Go Report Card ](https://goreportcard.com/badge/github.com/ossf/scorecard )](https://goreportcard.com/report/github.com/ossf/scorecard)
2022-01-20 03:21:32 +03:00
[![codecov ](https://codecov.io/gh/ossf/scorecard/branch/main/graph/badge.svg?token=PMJ6NAN9J3 )](https://codecov.io/gh/ossf/scorecard)
2022-01-27 01:48:28 +03:00
[![Slack ](https://slack.babeljs.io/badge.svg )](https://slack.openssf.org/#security_scorecards)
2020-10-09 17:47:59 +03:00
2022-01-19 21:08:35 +03:00
< img align = "right" src = "artwork/openssf_security_compressed.png" width = "200" height = "400" >
2020-11-06 20:36:23 +03:00
2022-01-19 21:08:35 +03:00
## Overview
2021-09-22 17:05:37 +03:00
2022-01-19 21:08:35 +03:00
- [What Is Scorecards? ](#what-is-scorecards )
- [Prominent Scorecards Users ](#prominent-scorecards-users )
- [Scorecards' Public Data ](#public-data )
2021-09-22 17:05:37 +03:00
## Using Scorecards
2022-01-19 21:08:35 +03:00
- [Scorecards GitHub Action ](#scorecards-github-action )
- [Scorecards Command Line Interface ](#scorecards-command-line-interface )
- [Prerequisites ](#prerequisites )
- [Installation ](#installation )
- [Authentication ](#authentication )
- [Basic Usage ](#basic-usage )
- [Report Problems ](#report-problems )
2021-09-22 17:05:37 +03:00
2022-01-19 21:08:35 +03:00
## Checks
- [Default Scorecards Checks ](#scorecard-checks )
- [Detailed Check Documentation ](docs/checks.md ) (Scoring Criteria, Risks, and
Remediation)
2021-09-22 17:05:37 +03:00
## Contribute
2022-01-19 21:08:35 +03:00
- [Code of Conduct ](CODE_OF_CONDUCT.md )
- [Contribute to Scorecards ](CONTRIBUTING.md )
- [Add a New Check ](checks/write.md )
- [Connect with the Scorecards Community ](#connect-with-the-scorecards-community )
- [Report a Security Issue ](SECURITY.md )
________________________________________________________________________________
________________________________________________________________________________
## Overview
2021-09-22 17:05:37 +03:00
### What is Scorecards?
2020-10-09 21:28:31 +03:00
2022-01-19 21:08:35 +03:00
We created Scorecards to give consumers of open-source projects an easy way to
judge whether their dependencies are safe.
2021-08-26 23:53:40 +03:00
2022-01-19 21:08:35 +03:00
Scorecards is an automated tool that assesses a number of important heuristics
[("checks") ](#scorecard-checks ) associated with software security and assigns
each check a score of 0-10. You can use these scores to understand specific
areas to improve in order to strengthen the security posture of your project.
You can also assess the risks that dependencies introduce, and make informed
decisions about accepting these risks, evaluating alternative solutions, or
working with the maintainers to make improvements.
2021-08-26 23:53:40 +03:00
2022-01-19 21:08:35 +03:00
The inspiration for Scorecards’ logo:
["You passed! All D's ... and an A!" ](https://youtu.be/rDMMYT3vkTk )
2020-10-09 20:39:00 +03:00
2021-09-22 17:05:37 +03:00
#### Project Goals
2021-01-05 03:47:02 +03:00
2021-06-17 07:05:46 +03:00
1. Automate analysis and trust decisions on the security posture of open source
projects.
2020-10-09 20:39:00 +03:00
2021-06-17 07:05:46 +03:00
1. Use this data to proactively improve the security posture of the critical
projects the world depends on.
2020-11-12 21:26:38 +03:00
2021-10-26 01:06:53 +03:00
### Prominent Scorecards Users
2022-01-19 21:08:35 +03:00
Scorecards has been run on thousands of projects to monitor and track security
metrics. Prominent projects that use Scorecards include:
2021-10-26 01:06:53 +03:00
2022-01-19 21:08:35 +03:00
- [sos.dev ](https://sos.dev )
- [deps.dev ](https://deps.dev )
- [metrics.openssf.org ](https://metrics.openssf.org )
2020-11-12 21:26:38 +03:00
2022-01-14 23:46:30 +03:00
### Public Data
2022-01-19 21:08:35 +03:00
We run a weekly Scorecards scan of the 1 million most critical open source
projects judged by their direct dependencies and publish the results in a
2022-01-14 23:46:30 +03:00
[BigQuery public dataset ](https://cloud.google.com/bigquery/public-data ).
This data is available in the public BigQuery dataset
`openssf:scorecardcron.scorecard-v2` . The latest results are available in the
BigQuery view `openssf:scorecardcron.scorecard-v2_latest` .
You can extract the latest results to Google Cloud storage in JSON format using
the [`bq` ](https://cloud.google.com/bigquery/docs/bq-command-line-tool ) tool:
```
# Get the latest PARTITION_ID
bq query --nouse_legacy_sql 'SELECT partition_id FROM
openssf.scorecardcron.INFORMATION_SCHEMA.PARTITIONS WHERE table_name="scorecard-v2"
AND partition_id!="__NULL__" ORDER BY partition_id DESC
LIMIT 1'
# Extract to GCS
bq extract --destination_format=NEWLINE_DELIMITED_JSON
'openssf:scorecardcron.scorecard-v2$< partition_id > ' gs://bucket-name/filename-*.json
```
The list of projects that are checked is available in the
[`cron/data/projects.csv` ](https://github.com/ossf/scorecard/blob/main/cron/data/projects.csv )
file in this repository. If you would like us to track more, please feel free to
2022-01-19 21:08:35 +03:00
send a Pull Request with others. Currently, this list is derived from **projects
hosted on GitHub ONLY**. We do plan to expand them in near future to account for
projects hosted on other source control systems.
2022-01-14 23:46:30 +03:00
2021-09-22 17:05:37 +03:00
## Using Scorecards
2022-01-19 21:08:35 +03:00
2022-01-14 23:46:30 +03:00
### Scorecards GitHub Action
2022-01-19 21:08:35 +03:00
The easiest way to use Scorecards on GitHub projects you own is with the
[Scorecards GitHub Action ](https://github.com/ossf/scorecard-action ). The Action
runs on any repository change and issues alerts that maintainers can view in the
repository’ s Security tab. For more information, see the Scorecards GitHub
Action
[installation instructions ](https://github.com/ossf/scorecard-action#installation ).
2020-11-12 21:26:38 +03:00
2022-01-14 23:46:30 +03:00
### Scorecards Command Line Interface
2022-01-19 21:08:35 +03:00
To run a Scorecards scan on projects you do not own, use the command line
interface installation option.
2022-01-14 23:46:30 +03:00
#### Prerequisites
2020-11-12 21:26:38 +03:00
2022-01-19 21:08:35 +03:00
Platforms: Currently, Scorecards supports OSX and Linux platforms. If you are
using a Windows OS you may experience issues. Contributions towards supporting
Windows are welcome.
2020-10-09 17:47:59 +03:00
2022-01-19 21:08:35 +03:00
Language: You must have GoLang installed to run Scorecards
(https://golang.org/doc/install)
2021-09-22 17:05:37 +03:00
2022-01-14 23:46:30 +03:00
#### Installation
2021-10-15 22:10:36 +03:00
2022-01-14 23:46:30 +03:00
##### Standalone
2021-12-08 22:51:00 +03:00
To install Scorecards as a standalone:
2021-10-15 22:10:36 +03:00
2022-01-19 21:08:35 +03:00
1. Visit our latest
[release page ](https://github.com/ossf/scorecard/releases/latest ) and
download the correct binary for your operating system
2. Extract the binary file
3. Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to
identify your directory if necessary)
2021-10-15 22:10:36 +03:00
2022-01-14 23:46:30 +03:00
##### Using Homebrew
2021-12-08 22:51:00 +03:00
2022-01-19 21:08:35 +03:00
You can use [Homebrew ](https://brew.sh/ ) (on macOS or Linux) to install
Scorecards.
2021-12-08 22:51:00 +03:00
```sh
brew install scorecard
```
2022-01-14 23:46:30 +03:00
#### Using Linux package managers
2021-12-08 22:51:00 +03:00
2022-01-19 21:08:35 +03:00
Package Manager | Linux Distribution | Command
---------------------------------------------------------- | ------------------ | -------
Nix | NixOS | `nix-env -iA nixpkgs.scorecard`
[AUR helper ](https://wiki.archlinux.org/title/AUR_helpers ) | Arch Linux | Use your AUR helper to install `scorecard`
2021-12-08 22:51:00 +03:00
2022-01-14 23:46:30 +03:00
#### Authentication
2021-08-24 03:12:03 +03:00
2022-01-19 21:08:35 +03:00
GitHub imposes [api rate limits ](https://developer.github.com/v3/#rate-limiting )
on unauthenticated requests. To avoid these limits, you must authenticate your
requests before running Scorecard. There are two ways to authenticate your
requests: either create a GitHub personal access token, or create a GitHub App
Installation.
2021-08-24 03:12:03 +03:00
2022-01-19 21:08:35 +03:00
- [Create a GitHub personal access token ](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token ).
When creating the personal access token, we suggest you choose the
`public_repo` scope. Set the token in an environment variable called
`GITHUB_AUTH_TOKEN` , `GITHUB_TOKEN` , `GH_AUTH_TOKEN` or `GH_TOKEN` using the
commands below according to your platform.
2021-08-24 03:12:03 +03:00
```shell
# For posix platforms, e.g. linux, mac:
export GITHUB_AUTH_TOKEN=< your access token >
# Multiple tokens can be provided separated by comma to be utilized
# in a round robin fashion.
export GITHUB_AUTH_TOKEN=< your access token1 > ,< your access token2 >
# For windows:
set GITHUB_AUTH_TOKEN=< your access token >
set GITHUB_AUTH_TOKEN=< your access token1 > ,< your access token2 >
```
2022-01-19 21:08:35 +03:00
OR
2021-12-13 21:08:19 +03:00
2022-01-19 21:08:35 +03:00
- [Create a GitHub App Installation ](https://docs.github.com/en/developers/apps/building-github-apps/creating-a-github-app )
for higher rate-limit quotas. If you have an installed GitHub App and key
file, you can use the three environment variables below, following the
commands (`set` or `export` ) shown above for your platform.
2021-08-24 03:12:03 +03:00
```
GITHUB_APP_KEY_PATH=< path to the key file on disk >
GITHUB_APP_INSTALLATION_ID=< installation id >
GITHUB_APP_ID=< app id >
```
2021-09-08 18:22:25 +03:00
These variables can be obtained from the GitHub
2021-08-24 03:12:03 +03:00
[developer settings ](https://github.com/settings/apps ) page.
2022-01-14 23:46:30 +03:00
#### Basic Usage
2022-01-19 21:08:35 +03:00
2022-01-14 23:46:30 +03:00
##### Docker
2021-07-16 20:18:42 +03:00
`scorecard` is available as a Docker container:
The `GITHUB_AUTH_TOKEN` has to be set to a valid [token ](#Authentication )
2021-07-29 23:58:36 +03:00
```shell
2021-08-18 18:41:20 +03:00
docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/ossf/scorecard
2021-07-16 20:18:42 +03:00
```
2021-12-31 21:53:27 +03:00
To use a specific scorecards version (e.g., v3.2.1), run:
```shell
docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:v3.2.1 --show-details --repo=https://github.com/ossf/scorecard
```
2022-01-14 23:46:30 +03:00
##### Using repository URL
2021-06-17 07:05:46 +03:00
2021-09-08 18:22:25 +03:00
Scorecards can run using just one argument, the URL of the target repo:
2020-10-09 17:47:59 +03:00
```shell
2021-08-26 00:02:23 +03:00
$ scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e
Starting [CII-Best-Practices]
2020-10-16 17:54:29 +03:00
Starting [Fuzzing]
2021-08-26 00:02:23 +03:00
Starting [Pinned-Dependencies]
Starting [CI-Tests]
Starting [Maintained]
2021-06-29 22:02:12 +03:00
Starting [Packaging]
2021-08-26 00:02:23 +03:00
Starting [SAST]
Starting [Dependency-Update-Tool]
2021-06-29 22:02:12 +03:00
Starting [Token-Permissions]
Starting [Security-Policy]
2021-08-26 00:02:23 +03:00
Starting [Signed-Releases]
2021-06-29 22:02:12 +03:00
Starting [Binary-Artifacts]
2021-08-26 00:02:23 +03:00
Starting [Branch-Protection]
Starting [Code-Review]
Starting [Contributors]
Starting [Vulnerabilities]
2021-06-29 22:02:12 +03:00
Finished [CI-Tests]
2021-08-26 00:02:23 +03:00
Finished [Maintained]
2021-01-15 19:29:07 +03:00
Finished [Packaging]
2021-08-26 00:02:23 +03:00
Finished [SAST]
Finished [Signed-Releases]
Finished [Binary-Artifacts]
Finished [Branch-Protection]
Finished [Code-Review]
Finished [Contributors]
Finished [Dependency-Update-Tool]
2021-06-29 22:02:12 +03:00
Finished [Token-Permissions]
2021-01-15 19:29:07 +03:00
Finished [Security-Policy]
2021-08-26 00:02:23 +03:00
Finished [Vulnerabilities]
Finished [CII-Best-Practices]
2021-06-29 22:02:12 +03:00
Finished [Fuzzing]
2021-08-26 00:02:23 +03:00
Finished [Pinned-Dependencies]
2020-10-09 18:26:43 +03:00
RESULTS
-------
2021-09-30 20:47:35 +03:00
Aggregate score: 7.9 / 10
Check scores:
2021-08-26 00:02:23 +03:00
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 9 / 10 | Branch-Protection | branch protection is not | github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection |
| | | maximal on development and all | |
| | | release branches | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no badge found | github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Code-Review | branch protection for default | github.com/ossf/scorecard/blob/main/docs/checks.md#code-review |
| | | branch is enabled | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10 | Contributors | 0 different companies found -- | github.com/ossf/scorecard/blob/main/docs/checks.md#contributors |
| | | score normalized to 0 | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10 | Dependency-Update-Tool | no update tool detected | github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed in | github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing |
| | | OSS-Fuzz | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 1 / 10 | Maintained | 2 commit(s) found in the last | github.com/ossf/scorecard/blob/main/docs/checks.md#maintained |
| | | 90 days -- score normalized to | |
| | | 1 | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| ? | Packaging | no published package detected | github.com/ossf/scorecard/blob/main/docs/checks.md#packaging |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 8 / 10 | Pinned-Dependencies | unpinned dependencies detected | github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies |
| | | -- score normalized to 8 | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | github.com/ossf/scorecard/blob/main/docs/checks.md#sast |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy |
| | | detected | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Token-Permissions | tokens are read-only in GitHub | github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions |
| | | workflows | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | no vulnerabilities detected | github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
2021-06-29 22:02:12 +03:00
```
2022-01-19 21:08:35 +03:00
2022-01-14 23:46:30 +03:00
##### Scoring
2021-09-30 20:47:35 +03:00
2022-01-19 21:08:35 +03:00
Each individual check returns a score of 0 to 10, with 10 representing the best
possible score. Scorecards also produces an aggregate score, which is a
weight-based average of the individual checks weighted by risk.
* “Critical” risk checks are weighted at 10
* “High” risk checks are weighted at 7.5
* “Medium” risk checks are weighted at 5
* “Low” risk checks are weighted at 2.5
See the [list of current Scorecards checks ](#scorecard-checks ) for each check's
risk level.
2021-09-30 20:47:35 +03:00
2022-01-19 21:08:35 +03:00
##### Showing Detailed Results
2021-06-29 22:02:12 +03:00
2021-09-30 20:47:35 +03:00
For more details about why a check fails, use the `--show-details` option:
2021-07-29 23:58:36 +03:00
2021-06-29 22:02:12 +03:00
```
2021-08-26 00:02:23 +03:00
./scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e --checks Branch-Protection --show-details
Starting [Pinned-Dependencies]
Finished [Pinned-Dependencies]
RESULTS
-------
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
| 9 / 10 | Branch-Protection | branch protection is not | Info: 'force pushes' disabled | github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection |
| | | maximal on development and all | on branch 'main' Info: 'allow | |
| | | release branches | deletion' disabled on branch | |
| | | | 'main' Info: linear history | |
| | | | enabled on branch 'main' Info: | |
| | | | strict status check enabled | |
| | | | on branch 'main' Warn: status | |
| | | | checks for merging have no | |
| | | | specific status to check on | |
| | | | branch 'main' Info: number | |
| | | | of required reviewers is 2 | |
| | | | on branch 'main' Info: Stale | |
| | | | review dismissal enabled on | |
| | | | branch 'main' Info: Owner | |
| | | | review required on branch | |
| | | | 'main' Info: 'admininistrator' | |
| | | | PRs need reviews before being | |
| | | | merged on branch 'main' | |
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
2020-10-09 17:47:59 +03:00
```
2022-01-14 23:46:30 +03:00
##### Using a Package manager
2021-02-02 19:29:31 +03:00
2022-01-19 21:08:35 +03:00
For projects in the `--npm` , `--pypi` , or `--rubygems` ecosystems, you have the
option to run Scorecards using a package manager. Provide the package name to
run the checks on the corresponding GitHub source code.
2021-03-01 19:21:20 +03:00
2021-09-22 17:05:37 +03:00
For example, `--npm=angular` .
2021-02-02 19:29:31 +03:00
2022-01-14 23:46:30 +03:00
##### Running specific checks
2021-03-13 01:57:44 +03:00
2021-09-08 18:22:25 +03:00
To run only specific check(s), add the `--checks` argument with a list of check
2021-06-17 07:05:46 +03:00
names.
2021-03-13 01:57:44 +03:00
2021-06-17 07:05:46 +03:00
For example, `--checks=CI-Tests,Code-Review` .
2021-02-22 20:18:28 +03:00
2022-01-14 23:46:30 +03:00
##### Formatting Results
2020-10-14 22:42:05 +03:00
2021-06-17 07:05:46 +03:00
There are three formats currently: `default` , `json` , and `csv` . Others may be
added in the future.
2020-10-09 17:47:59 +03:00
2021-09-22 17:05:37 +03:00
These may be specified with the `--format` flag. For example, `--format=json` .
2020-10-09 17:47:59 +03:00
2022-01-14 23:46:30 +03:00
#### Report Problems
2020-10-09 17:47:59 +03:00
2021-09-22 17:05:37 +03:00
If you have what looks like a bug, please use the
2022-01-19 21:08:35 +03:00
[Github issue tracking system. ](https://github.com/ossf/scorecard/issues ) Before
you file an issue, please search existing issues to see if your issue is already
covered.
2021-09-22 17:05:37 +03:00
## Checks
2022-01-19 21:08:35 +03:00
2021-09-22 17:05:37 +03:00
### Scorecard Checks
2020-11-05 23:27:10 +03:00
2021-09-22 17:05:37 +03:00
The following checks are all run against the target project by default:
2021-01-05 20:32:06 +03:00
2022-01-19 21:08:35 +03:00
Name | Description | Risk Level
--------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------
[Binary-Artifacts ](docs/checks.md#binary-artifacts ) | Is the project free of checked-in binaries? | High
[Branch-Protection ](docs/checks.md#branch-protection ) | Does the project use [Branch Protection ](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches ) ? | High
[CI-Tests ](docs/checks.md#ci-tests ) | Does the project run tests in CI, e.g. [GitHub Actions ](https://docs.github.com/en/free-pro-team@latest/actions ), [Prow ](https://github.com/kubernetes/test-infra/tree/master/prow )? | Low
[CII-Best-Practices ](docs/checks.md#cii-best-practices ) | Does the project have a [CII Best Practices Badge ](https://bestpractices.coreinfrastructure.org/en )? | Low
[Code-Review ](docs/checks.md#code-review ) | Does the project require code review before code is merged? | High
[Contributors ](docs/checks.md#contributors ) | Does the project have contributors from at least two different organizations? | Low
[Dangerous-Workflow ](docs/checks.md#dangerous-workflow ) | Does the project avoid dangerous coding patterns in GitHub Action workflows? | Critical
[Dependency-Update-Tool ](docs/checks.md#dependency-update-tool ) | Does the project use tools to help update its dependencies? | High
[Fuzzing ](docs/checks.md#fuzzing ) | Does the project use fuzzing tools, e.g. [OSS-Fuzz ](https://github.com/google/oss-fuzz )? | Medium
[License ](docs/checks.md#license ) | Does the project declare a license? | Low
[Maintained ](docs/checks.md#maintained ) | Is the project maintained? | High
[Pinned-Dependencies ](docs/checks.md#pinned-dependencies ) | Does the project declare and pin [dependencies ](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems )? | Medium
[Packaging ](docs/checks.md#packaging ) | Does the project build and publish official packages from CI/CD, e.g. [GitHub Publishing ](https://docs.github.com/en/free-pro-team@latest/actions/guides/about-packaging-with-github-actions#workflows-for-publishing-packages ) ? | Medium
[SAST ](docs/checks.md#sast ) | Does the project use static code analysis tools, e.g. [CodeQL ](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions ), [LGTM ](https://lgtm.com ), [SonarCloud ](https://sonarcloud.io )? | Medium
[Security-Policy ](docs/checks.md#security-policy ) | Does the project contain a [security policy ](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository )? | Medium
[Signed-Releases ](docs/checks.md#signed-releases ) | Does the project cryptographically [sign releases ](https://wiki.debian.org/Creating%20signed%20GitHub%20releases )? | High
[Token-Permissions ](docs/checks.md#token-permissions ) | Does the project declare GitHub workflow tokens as [read only ](https://docs.github.com/en/actions/reference/authentication-in-a-workflow )? | High
[Vulnerabilities ](docs/checks.md#vulnerabilities ) | Does the project have unfixed vulnerabilities? Uses the [OSV service ](https://osv.dev ). | High
2021-09-22 17:05:37 +03:00
### Detailed Checks Documentation
2022-01-19 21:08:35 +03:00
To see detailed information about each check, its scoring criteria, and
remediation steps, check out the [checks documentation page ](docs/checks.md ).
2021-06-17 07:05:46 +03:00
2021-09-22 17:05:37 +03:00
## Contribute
2022-01-19 21:08:35 +03:00
2021-09-22 17:05:37 +03:00
### Code of Conduct
2022-01-19 21:08:35 +03:00
2021-10-19 22:14:11 +03:00
Before contributing, please follow our [Code of Conduct ](CODE_OF_CONDUCT.md ).
2021-06-05 00:47:45 +03:00
2021-09-22 17:05:37 +03:00
### Contribute to Scorecards
2022-01-19 21:08:35 +03:00
2021-09-22 17:05:37 +03:00
See the [Contributing ](CONTRIBUTING.md ) documentation for guidance on how to
contribute to the project.
2021-06-05 00:47:45 +03:00
2021-09-22 17:05:37 +03:00
### Adding a Scorecard Check
2021-06-05 00:47:45 +03:00
2021-09-22 17:05:37 +03:00
If you'd like to add a check, please see guidance [here ](checks/write.md ).
2021-01-05 16:45:15 +03:00
2021-09-22 17:05:37 +03:00
### Connect with the Scorecards Community
2020-11-05 23:27:10 +03:00
2022-01-19 21:08:35 +03:00
If you want to get involved in the Scorecards community or have ideas you'd like
to chat about, we discuss this project in the
2021-06-17 07:05:46 +03:00
[OSSF Best Practices Working Group ](https://github.com/ossf/wg-best-practices-os-developers )
meetings.
2021-06-05 00:47:45 +03:00
2022-01-19 21:08:35 +03:00
Artifact | Link
----------------------------- | ----
Scorecard Dev Forum | [ossf-scorecard-dev@ ](https://groups.google.com/g/ossf-scorecard-dev )
Scorecard Announcements Forum | [ossf-scorecard-announce@ ](https://groups.google.com/g/ossf-scorecard-announce )
Community Meeting VC | [Link to z o o m meeting ](https://zoom.us/j/98835923979 )
Community Meeting Calendar | Biweekly mondays, 3:30pm-4:30pm PST < br > [Calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ)
Meeting Notes | [Notes ](https://docs.google.com/document/d/1dB2U7_qZpNW96vtuoG7ShmgKXzIg6R5XT5Tc-0yz6kE/edit#heading=h.4k8ml0qkh7tl )
Slack Channel | [#security_scorecards ](https://slack.openssf.org/#security_scorecards )
| Facilitators | Company | Profile
---------------------------------------------------------------- | ----------------- | ------- | -------
2022-01-27 01:48:28 +03:00
< img width = "30px" src = "https://github.com/azeemshaikh38.png" > | Azeem Shaikh | Google | [azeemshaikh38 ](https://github.com/azeemshaikh38 )
2022-01-19 21:08:35 +03:00
< img width = "30px" src = "https://github.com/laurentsimon.png" > | Laurent Simon | Google | [laurentsimon ](https://github.com/laurentsimon )
< img width = "30px" src = "https://github.com/naveensrinivasan.png" > | Naveen Srinivasan | | [naveensrinivasan ](https://github.com/naveensrinivasan )
< img width = "30px" src = "https://github.com/chrismcgehee.png" > | Chris McGehee | Datto | [chrismcgehee ](https://github.com/chrismcgehee )
2022-01-27 01:48:28 +03:00
< img width = "30px" src = "https://github.com/justaugustus.png" > | Justin Augustus | Cisco | [justaugustus ](https://github.com/justaugutus )
2021-06-05 00:47:45 +03:00
2021-09-22 17:05:37 +03:00
### Report a Security Issue
2022-01-19 21:08:35 +03:00
2021-10-19 22:14:11 +03:00
To report a security issue, please follow instructions [here ](SECURITY.md ).