ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-17 11:57:12 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
b48bdbf250
scorecard/config
History
Raghav Kaul 75639713f5
Some checks failed
CodeQL / Analyze (go) (push) Waiting to run
Details
CodeQL / Analyze (javascript) (push) Waiting to run
Details
gitlab-tests / gitlab-integration-trusted (push) Waiting to run
Details
golangci-lint / check-linter (push) Waiting to run
Details
build / unit-test (push) Waiting to run
Details
build / generate-mocks (push) Waiting to run
Details
build / generate-docs (push) Waiting to run
Details
build / build-proto (push) Waiting to run
Details
build / ${{ matrix.target }} (build-add-script) (push) Blocked by required conditions
Details
build / ${{ matrix.target }} (build-bq-transfer) (push) Blocked by required conditions
Details
build / ${{ matrix.target }} (build-cii-worker) (push) Blocked by required conditions
Details
build / ${{ matrix.target }} (build-controller) (push) Blocked by required conditions
Details
build / ${{ matrix.target }} (build-github-server) (push) Blocked by required conditions
Details
build / ${{ matrix.target }} (build-scorecard) (push) Blocked by required conditions
Details
build / ${{ matrix.target }} (build-shuffler) (push) Blocked by required conditions
Details
build / ${{ matrix.target }} (build-validate-script) (push) Blocked by required conditions
Details
build / ${{ matrix.target }} (build-webhook) (push) Blocked by required conditions
Details
build / ${{ matrix.target }} (build-worker) (push) Blocked by required conditions
Details
build / validate-docs (push) Waiting to run
Details
build / add-projects (push) Waiting to run
Details
build / validate-projects (push) Waiting to run
Details
build / license boilerplate check (push) Waiting to run
Details
Scorecard analysis workflow / Scorecard analysis (push) Has been cancelled
Details
docs: maintainer annotations (#4235) 
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
2024-07-11 16:04:37 -04:00
..
testdata ⚠️ Add initial Maintainers Annotation parsing (#3905) 2024-04-23 20:15:12 +00:00
annotations.go 🌱 Hide maintainer annotation implementation details (#4167) 2024-06-12 18:16:13 +00:00
config_test.go 🌱 maintainer annotations: improve annotation file validation (#4162) 2024-07-02 15:40:34 +00:00
config.go 🌱 maintainer annotations: improve annotation file validation (#4162) 2024-07-02 15:40:34 +00:00
README.md docs: maintainer annotations (#4235) 2024-07-11 16:04:37 -04:00

README.md

Maintainer Annotations

Maintainer Annotations let maintainers add context to display alongside Scorecard check results. Annotations can provide users additional information when Scorecard has an incomplete assessment of a project's security practices.

Annotating Your Project

To annotate your repository, create a scorecard.yml file in the root of your repository.

You can also place your annotations in .scorecard.yml or .github/scorecard.yml.

The file structure is as follows:

annotations:
  - checks:
      - binary-artifacts
    reasons:
      - reason: test-data # the binary files are only used for testing
  - checks:
      - dangerous-workflow
    reasons:
      - reason: remediated # the workflow is dangerous but only run under maintainers verification and approval

You can annotate multiple checks at a time:

annotations:
  - checks:
      - binary-artifacts
      - pinned-dependencies
    reasons:
      - reason: test-data # the binary files and files with unpinned dependencies are only used for testing

And also provide multiple annotations for checks:

annotations:
  - checks:
      - binary-artifacts
    reasons:
      - reason: test-data # test.exe is only used for testing 
      - reason: remediated # dependency.exe is needed and it's used but the binary signature is verified

The available checks are the Scorecard checks in lower case e.g. Binary-Artifacts is binary-artifacts.

Types of Annotations

The annotations are predefined as shown in the table below:

Annotation Description Example
test-data A check or probe has found a security issue in files or code snippets only used for test or example purposes. The binary files are only used for testing.
remediated To annotate when a check or probe has found a security issue to which a remediation was already applied. A workflow is dangerous but only run under maintainers verification and approval, or a binary is needed but it is signed or has provenance.
not-applicable To annotate when a check or probe is not applicable for the case. The dependencies should not be pinned because the project is a library.
not-supported To annotate when the maintainer fulfills a check or probe in a way that is not supported by Scorecard. Clang-Tidy is used as SAST tool but not identified because its not supported.
not-detected To annotate when the maintainer fulfills a check or probe in a way that is supported by Scorecard but not identified. Dependabot is configured in the repository settings and not in a file.

Viewing Maintainer Annotations

To see the maintainers annotations for each check on Scorecard results, use the --show-annotations option.