Improve Scorecard score for in-toto-golang #283
Description
Description of the feature request:
To improve the OpenSSF scorecard for in-toto-golang.
The current score is 5.4/10 as on 2023-11-13
This score is static, so to continuously updating the score requires a workflow.
Solution description
We need to work on each area to analyze where the score has dropped and how we can improve upon it! The following steps are:
- CI Test
- CII Best Practices
- Contributors
- License
- Code Review
- Fuzzing test
- Packaging
- Pinned Dependencies
- SAST
- Security Policy
- Binary Artifact
- Branch protection
- Dependency Update Tool
- Maintained
- Signed Release
- Token Permission
- Vulnerabilities
- Dangerous Workflow
- Webhooks
Scorecard Result Detail
Current Score: 5.4/10
| SCORE | NAME | REASON | DETAILS | DOCS |
|---|---|---|---|---|
| 10 | Maintained | 30 commit(s) out of 30 and 2 issue activity out of 30 found in the last 90 days -- score normalized to 10 | null | https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#maintained" |
| 10 | Code-Review | all changesets reviewed | null | https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#code-review |
| 0 | CII-Best-Practices | no effort to earn an OpenSSF best practices badge detected | null | https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#cii-best-practices |
| 9 | License | license file detected. | Warn: project license file does not contain an FSF or OSI license.","Info: License file found in expected location: LICENSE:1 | https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#license |
| -1 | Signed-Releases | no releases found | "Warn: no GitHub releases found" | https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#signed-releases |
| 0 | Branch-Protection | branch protection not enabled on development/release branches. | "Warn: branch protection not enabled for branch 'master' | https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#branch-protection |
| -1 | Packaging | packaging workflow not detected. | "Warn: no GitHub/GitLab publishing workflow detected. | https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#packaging |
| 0 | Token-Permissions | detected GitHub workflow tokens with excessive permissions. | Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/lint.yml:1","Warn: no topLevel permission defined: .github/workflows/verify-docgen-fmt.yml:1","Info: no jobLevel write permissions found" | https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#token-permissions |
| 10 | Dangerous-Workflow | no dangerous workflow patterns detected | null | https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#dangerous-workflow |
| 9 | Binary-Artifacts | binaries present in source code | Warn: binary detected: test/data/helloworld:1 | https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#binary-artifacts |
| 0 | Fuzzing | project is not fuzzed | Warn: no OSSFuzz integration found, Warn: no GoBuiltInFuzzer integration found | https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#fuzzing |
| 3 | Pinned-Dependencies | dependency not pinned by hash detected | Warn: containerImage not pinned by hash: Dockerfile:3","Warn: containerImage not pinned by hash: Dockerfile:12","Warn: containerImage not pinned by hash: Dockerfile:16: pin your Docker image by updating gcr.io/distroless/base to gcr.io/distroless/base@sha256:b31a6e02605827e77b7ebb82a0ac9669ec51091edd62c2c076175e05556f4ab9","Warn: goCommand not pinned by hash: .github/workflows/build.yml:27","Info: 7 out of 7 GitHub-owned GitHubAction dependencies pinned","Info: 1 out of 1 third-party GitHubAction dependencies pinned","Info: 0 out of 3 containerImage dependencies pinned","Info: 0 out of 1 goCommand dependencies pinned" | https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#pinned-dependencies |
| 0 | Security-Policy | security policy file not detected | Warn: no security policy file detected" | https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#security-policy |
| 10 | Vulnerabilities | 0 existing vulnerabilities detected | null | https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#vulnerabilities |
| 0 | SAST | SAST tool is not run on all commits | Warn: CodeQL tool not installed","Warn: 0 commits out of 30 are checked with a SAST tool | https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#sast |
\en