1.Add the check Dangerous-Workflow

2.Fix the typo of rubygems
2024-11-04 03:52:31 +03:00 · 2021-11-27 14:58:19 +08:00 · 2021-11-27 14:58:19 +08:00 · 6a7e314c37
commit 6a7e314c37
parent f9b9773e2f
2 changed files with 3 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -230,6 +230,7 @@ Tests that are rated as “High” risk are:
 * Signed-Releases
 * Token-Permissions
 * Vulnerabilities
+* Dangerous-Workflow

 Tests that are rated as “Medium” risk are:
 * Fuzzing
@ -356,6 +357,7 @@ CI-Tests                    | Does the project run tests in CI, e.g. [GitHub Act
 CII-Best-Practices          | Does the project have a [CII Best Practices Badge](https://bestpractices.coreinfrastructure.org/en)?
 Code-Review                 | Does the project require code review before code is merged?
 Contributors                | Does the project have contributors from at least two different organizations?
+Dangerous-Workflow          | Does the project have GitHub Action workflows avoid dangerous patterns?
 Dependency-Update-Tool      | Does the project use tools to help update its dependencies?
 Fuzzing                     | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz)?
 Maintained                  | Is the project maintained?
--- a/cmd/root.go
+++ b/cmd/root.go
@ -72,7 +72,7 @@ const (
 const (
 	scorecardLong = "A program that shows security scorecard for an open source software."
 	scorecardUse  = `./scorecard [--repo=<repo_url>] [--local=folder] [--checks=check1,...]
-	 [--show-details] [--policy=file] or ./scorecard --{npm,pypi,rubgems}=<package_name> 
+	 [--show-details] [--policy=file] or ./scorecard --{npm,pypi,rubygems}=<package_name> 
 	 [--checks=check1,...] [--show-details] [--policy=file]`
 	scorecardShort = "Security Scorecards"
 )