ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-17 11:57:12 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

📖 Add aggregate scoring documentation (#1063)

Browse Source 
* Update README.md

Add scoring explanation, including aggregate scoring and risk weighting
Add Aggregate score to example output
Add omitted word

* Update README.md

Minor edit, remove word

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
This commit is contained in:
olivekl 2021-09-30 13:47:35 -04:00 committed by GitHub
parent c10ac4bcb8
commit c45f70bc90
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
README.md
View File

@ -146,6 +146,9 @@ Finished [Pinned-Dependencies]
RESULTS
-------
Aggregate score: 7.9 / 10
Check scores:
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
@ -192,9 +195,41 @@ RESULTS
| 10 / 10 | Vulnerabilities | no vulnerabilities detected | github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
```
#### Scoring
Each individual check returns a score of 0 to 10, with 10 representing the best possible score. Scorecards also produces an aggregate score, which is a weight-based average of the individual checks weighted by risk.
* “Critical” risk checks are weighted at 10
* “High” risk checks are weighted at 7.5
* “Medium” risk checks are weighted at 5
* “Low” risk checks are weighted at 2.5
Note: there are currently no Scorecards checks rated as “Critical” risk.
Tests that are rated as “High” risk are:
* Maintained
* Dependency-Update-Tool
* Binary-Artifacts
* Branch-Protection
* Code-Review
* Signed-Releases
* Token-Permissions
* Vulnerabilities
Tests that are rated as “Medium” risk are:
* Fuzzing
* Packaging
* Pinned-Dependencies
* SAST
* Security-Policy
Tests that are rated as “Low” risk are:
* CI-Tests
* CII-Best-Practices
* Contributors
#### Showing Detailed Results
For more details why a check fails, use the `--show-details` option:
For more details about why a check fails, use the `--show-details` option:
```
./scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e --checks Branch-Protection --show-details