75639713f5
Some checks failed
CodeQL / Analyze (go) (push) Waiting to run
CodeQL / Analyze (javascript) (push) Waiting to run
gitlab-tests / gitlab-integration-trusted (push) Waiting to run
golangci-lint / check-linter (push) Waiting to run
build / unit-test (push) Waiting to run
build / generate-mocks (push) Waiting to run
build / generate-docs (push) Waiting to run
build / build-proto (push) Waiting to run
build / ${{ matrix.target }} (build-add-script) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-bq-transfer) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-cii-worker) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-controller) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-github-server) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-scorecard) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-shuffler) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-validate-script) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-webhook) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-worker) (push) Blocked by required conditions
build / validate-docs (push) Waiting to run
build / add-projects (push) Waiting to run
build / validate-projects (push) Waiting to run
build / license boilerplate check (push) Waiting to run
Scorecard analysis workflow / Scorecard analysis (push) Has been cancelled
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> |
||
---|---|---|
.. | ||
testdata | ||
annotations.go | ||
config_test.go | ||
config.go | ||
README.md |
Maintainer Annotations
Maintainer Annotations let maintainers add context to display alongside Scorecard check results. Annotations can provide users additional information when Scorecard has an incomplete assessment of a project's security practices.
Annotating Your Project
To annotate your repository, create a scorecard.yml
file in the root of your repository.
You can also place your annotations in
.scorecard.yml
or.github/scorecard.yml
.
The file structure is as follows:
annotations:
- checks:
- binary-artifacts
reasons:
- reason: test-data # the binary files are only used for testing
- checks:
- dangerous-workflow
reasons:
- reason: remediated # the workflow is dangerous but only run under maintainers verification and approval
You can annotate multiple checks at a time:
annotations:
- checks:
- binary-artifacts
- pinned-dependencies
reasons:
- reason: test-data # the binary files and files with unpinned dependencies are only used for testing
And also provide multiple annotations for checks:
annotations:
- checks:
- binary-artifacts
reasons:
- reason: test-data # test.exe is only used for testing
- reason: remediated # dependency.exe is needed and it's used but the binary signature is verified
The available checks are the Scorecard checks in lower case e.g. Binary-Artifacts is binary-artifacts
.
Types of Annotations
The annotations are predefined as shown in the table below:
Annotation | Description | Example |
---|---|---|
test-data | A check or probe has found a security issue in files or code snippets only used for test or example purposes. | The binary files are only used for testing. |
remediated | To annotate when a check or probe has found a security issue to which a remediation was already applied. | A workflow is dangerous but only run under maintainers verification and approval, or a binary is needed but it is signed or has provenance. |
not-applicable | To annotate when a check or probe is not applicable for the case. | The dependencies should not be pinned because the project is a library. |
not-supported | To annotate when the maintainer fulfills a check or probe in a way that is not supported by Scorecard. | Clang-Tidy is used as SAST tool but not identified because its not supported. |
not-detected | To annotate when the maintainer fulfills a check or probe in a way that is supported by Scorecard but not identified. | Dependabot is configured in the repository settings and not in a file. |
Viewing Maintainer Annotations
To see the maintainers annotations for each check on Scorecard results, use the --show-annotations
option.