scorecard/checks.md
2020-10-26 15:50:13 -05:00

2.6 KiB

Check Documentation

This page contains information on how each check works and calculates scores. All of these checks are basically "best-geusses" currently, and operate on a series of heuristics.

They are all subject to change, and have much room for improvement! If you have ideas for things to add, or new ways to detect things, please contribute!

Security-MD

This check tries to determine if a project has published security policies. It works by looking for a file named SECURITY.md (case-insensitive) in a few well-known directories.

Contributors

This check tries to determine if a project has a set of contributors from multiple companies. It works by looking at the authors of recent commits and checking the Organization field on the GitHub user profile.

Frozen-Deps

This check tries to determine if a project has declared and pinned its dependencies. It works by looking for a set of well-known package management lock files.

Signed-Tags

This check looks for cryptographically signed tags in the git history.

Signed-Releases

This check tries to determine if a project cryptographically signs release artifacts. It works by looking for well-known filenames within recently published GitHub releases.

CI-Tests

This check tries to determine if the project run tests before pull requests are merged. It works by looking for a set of well-known CI-system names in GitHub CheckRuns and Statuses.

Code-Review

This check tries to determine if a project requires code review before pull requests are merged. It works by looking for a set of well-known code review system results in GitHub Pull Requests.

CII-Best-Practices

This check tries to determine if the project has a CII Best Practices Badge. It uses the URL for the Git repo and the CII API.

Pull-Requests

This check tries to determine if the project requires pull requests for all changes to the default branch. It works by looking at recent commits and using the GitHub API to search for associated pull requests.

Fuzzing

This check tries to determine if the project uses a fuzzing system. It currently works by checking if the repo name is in the OSS-Fuzz project list.

SAST

This check tries to determine if the project uses static analysis systems. It currently works by looking for well-known results (CodeQL, etc.) in GitHub pull requests.

Active

This check tries to determine if the project is still "actively maintained". It currently works by looking for releases or commits within the last 90 days.