It would be nice to add Scorecard analysis to this repo as a GitHub Actions workflow to compute the security score. Scorecard runs various simple checks, e.g., whether Branch-Protection and Security-Policy exist in the repo, and computes a score of 0-1.
Here is the result that I get by locally running Scorecard:
RESULTS
-------
Finished [Binary-Artifacts]
Finished [Maintained]
Finished [Packaging]
Finished [CI-Tests]
Finished [Pinned-Dependencies]
Finished [Signed-Releases]
Finished [Vulnerabilities]
Finished [Branch-Protection]
Finished [Contributors]
Finished [Fuzzing]
Finished [Token-Permissions]
Finished [Security-Policy]
Finished [CII-Best-Practices]
Finished [Code-Review]
Finished [Dependency-Update-Tool]
Finished [SAST]
Aggregate score: 4.5 / 10
Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10 | Branch-Protection | branch protection is not | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#branch-protection |
| | | maximal on development and all | |
| | | release branches | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests | 14 out of 14 merged PRs | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#ci-tests |
| | | checked by a CI test -- score | |
| | | normalized to 10 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no badge found | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#cii-best-practices |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | Code-Review | GitHub code reviews found for | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#code-review |
| | | 13 commits out of the last 14 | |
| | | -- score normalized to 9 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Contributors | 0 different companies found -- | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#contributors |
| | | score normalized to 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed in | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#fuzzing |
| | | OSS-Fuzz | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 6 / 10 | Maintained | 8 commit(s) found in the last | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#maintained |
| | | 90 days -- score normalized to | |
| | | 6 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | no published package detected | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#packaging |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 5 / 10 | Pinned-Dependencies | dependency not pinned by hash | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | |
| | | to 5 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | SAST tool is not run on all | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#sast |
| | | commits -- score normalized to | |
| | | 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#security-policy |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Signed-Releases | 0 out of 2 artifacts are | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#signed-releases |
| | | signed -- score normalized to | |
| | | 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | non read-only tokens detected | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#token-permissions |
| | | in GitHub workflows | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | no vulnerabilities detected | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#vulnerabilities |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
It would be nice to add Scorecard analysis to this repo as a GitHub Actions workflow to compute the security score. Scorecard runs various simple checks, e.g., whether
Branch-ProtectionandSecurity-Policyexist in the repo, and computes a score of 0-1.Here is the result that I get by locally running Scorecard: