Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Scorecard Monitor workflow + fix Scorecard Report links #179

Merged
merged 3 commits into from
Jun 20, 2024
Merged

Update Scorecard Monitor workflow + fix Scorecard Report links #179

merged 3 commits into from
Jun 20, 2024

Conversation

lelia
Copy link
Contributor

@lelia lelia commented Jun 20, 2024

  • Updates Scorecard Monitor workflow action dependencies
  • Updates location of Scorecard Monitor action to OSSF ✨
  • Fixes Scorecard Report links to use new API visualizer URL

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 20, 2024
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 692973e3d937129bcbf40652eb9f2f61becf3332 🟢 7.5
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1018 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Signed-Releases⚠️ -1no releases found
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 9security policy file detected
Pinned-Dependencies🟢 4dependency not pinned by hash detected -- score normalized to 4
Packaging🟢 10packaging workflow detected
Vulnerabilities🟢 91 existing vulnerabilities detected
actions/ossf/scorecard-monitor 8551177324543b39670fe3c430012c946a937bd1 UnknownUnknown
actions/peter-evans/create-pull-request c5a7806660adbe173f04e3e038b0ccdcd758773c 🟢 5.1
Details
CheckScoreReason
Code-Review🟢 3Found 4/11 approved changesets -- score normalized to 3
Maintained🟢 1025 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Signed-Releases⚠️ -1no releases found
Fuzzing⚠️ 0project is not fuzzed
Security-Policy⚠️ 0security policy file not detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 91 existing vulnerabilities detected
actions/UlisesGascon/openssf-scorecard-monitor 8551177324543b39670fe3c430012c946a937bd1 🟢 6.2
Details
CheckScoreReason
Maintained🟢 910 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 9
Code-Review🟢 7Found 7/9 approved changesets -- score normalized to 7
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Packaging⚠️ -1packaging workflow not detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Pinned-Dependencies⚠️ 2dependency not pinned by hash detected -- score normalized to 2
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
Security-Policy🟢 10security policy file detected
Vulnerabilities🟢 100 existing vulnerabilities detected
actions/actions/checkout b4ffde65f46336ab88eb53be808477a3936bae11 🟢 7.5
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1018 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Signed-Releases⚠️ -1no releases found
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 9security policy file detected
Pinned-Dependencies🟢 4dependency not pinned by hash detected -- score normalized to 4
Packaging🟢 10packaging workflow detected
Vulnerabilities🟢 91 existing vulnerabilities detected
actions/peter-evans/create-pull-request 6d6857d36972b65feb161a90e484f2984215f83e 🟢 5.1
Details
CheckScoreReason
Code-Review🟢 3Found 4/11 approved changesets -- score normalized to 3
Maintained🟢 1025 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Signed-Releases⚠️ -1no releases found
Fuzzing⚠️ 0project is not fuzzed
Security-Policy⚠️ 0security policy file not detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 91 existing vulnerabilities detected

Scanned Manifest Files

.github/workflows/scorecard-monitor.yml

justaugustus
justaugustus requested changes Jun 20, 2024
View reviewed changes
Copy link
Contributor

@justaugustus justaugustus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lelia — One nit. Can you fix this upstream as well?

reports/scorecard/report.md Outdated Show resolved Hide resolved
@lelia @justaugustus
Fix report generation link
7616edd 
Co-authored-by: Stephen Augustus <[email protected]>
justaugustus
justaugustus approved these changes Jun 20, 2024
View reviewed changes
Copy link
Contributor

@justaugustus justaugustus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fixes, @lelia!

@justaugustus justaugustus merged commit c6eee3e into main Jun 20, 2024
2 checks passed
@justaugustus justaugustus deleted the fix-markdown-links branch June 20, 2024 22:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justaugustus justaugustus justaugustus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lelia @justaugustus