mirror of
https://github.com/ossf/scorecard.git
synced 2024-08-15 11:20:30 +03:00
Some checks are pending
CodeQL / Analyze (go) (push) Waiting to run
CodeQL / Analyze (javascript) (push) Waiting to run
gitlab-tests / gitlab-integration-trusted (push) Waiting to run
golangci-lint / check-linter (push) Waiting to run
build / unit-test (push) Waiting to run
build / generate-mocks (push) Waiting to run
build / generate-docs (push) Waiting to run
build / build-proto (push) Waiting to run
build / ${{ matrix.target }} (build-add-script) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-bq-transfer) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-cii-worker) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-controller) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-github-server) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-scorecard) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-shuffler) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-validate-script) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-webhook) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-worker) (push) Blocked by required conditions
build / validate-docs (push) Waiting to run
build / add-projects (push) Waiting to run
build / validate-projects (push) Waiting to run
build / license boilerplate check (push) Waiting to run
Scorecard analysis workflow / Scorecard analysis (push) Waiting to run
* add lifecycle field to probe yaml definitions Signed-off-by: Spencer Schrock <sschrock@google.com> * classify existing probes Some are listed as stable if they're not expected to change, others are listed as experimental if there are still expected changes. Signed-off-by: Spencer Schrock <sschrock@google.com> * add lifecycle to probe readme Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter Signed-off-by: Spencer Schrock <sschrock@google.com> * add lifecycle for new probe Signed-off-by: Spencer Schrock <sschrock@google.com> * add probe lifecycle to documentation Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>
53 lines
3.8 KiB
YAML
53 lines
3.8 KiB
YAML
# Copyright 2023 OpenSSF Scorecard Authors
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
id: securityPolicyPresent
|
|
lifecycle: stable
|
|
short: Check if a security policy is defined in the repository or in the org's .github repository.
|
|
motivation: >
|
|
A security policy (typically a SECURITY.md file) can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible.
|
|
If you have a large organization, having a unified security policy across all your repositories may simplify the vulnerability disclosure response.
|
|
implementation: >
|
|
The implementation looks for the presence of security policy files in the repository or in '<org>/.github' repository. See https://github.com/ossf/scorecard/blob/main/checks/raw/security_policy.go#L139 for a detailed list of filenames.
|
|
outcome:
|
|
- If a security policy file is found, one finding with OutcomeTrue is returned.
|
|
- If no security file is found, one finding with OutcomeFalse is returned.
|
|
remediation:
|
|
onOutcome: False
|
|
effort: Medium
|
|
text:
|
|
- 'On GitHub:'
|
|
- Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
|
|
- Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.
|
|
- 'On GitLab:'
|
|
- Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.
|
|
- 'Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md.'
|
|
- For additional information on vulnerability disclosure, see https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md.
|
|
markdown:
|
|
- Write a short paragraph for your SECURITY.md to explain the process to disclose security vulnerability for your project.
|
|
- 'On GitHub:'
|
|
- Enable private vulnerability disclosure in your [repository settings](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)
|
|
- Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to [follow these steps](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities).
|
|
- 'On GitLab:'
|
|
- Provide a point of contact in your SECURITY.md.
|
|
- 'Examples: [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/SECURITY.md), [SLSA builders](https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md), [Sigstore](https://github.com/sigstore/.github/blob/main/SECURITY.md).'
|
|
- For additional information on vulnerability disclosure, see [OpenSSF's maintainer's guide](https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md).
|
|
ecosystem:
|
|
languages:
|
|
- all
|
|
clients:
|
|
- github
|
|
- gitlab
|
|
- localdir
|