Scorecard article #15
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
looks great! thanks @Ioana37 and @meguittet ! left some comments.
meguittet
reviewed
Oct 10, 2024
|
Thanks for putting this together :-) |
meguittet
reviewed
Oct 15, 2024
!article/article.md
Outdated
|  | ||
|
|
||
| # Recommendations and action items | ||
| With the recent improvements in handling pinned dependencies and packaging checks for the NuGet package manager, the ability to assess the security features of GitHub repositories in the .NET ecosystem will be substantially enhanced. This should encourage repositories’ maintainers to adopt necessary improvements, leading to higher scores measured by Scorecard and improved overall security. |
There was a problem hiding this comment.
Suggested change
| With the recent improvements in handling pinned dependencies and packaging checks for the NuGet package manager, the ability to assess the security features of GitHub repositories in the .NET ecosystem will be substantially enhanced. This should encourage repositories’ maintainers to adopt necessary improvements, leading to higher scores measured by Scorecard and improved overall security. | |
| With the recent improvements in handling pinned dependencies and packaging checks for the NuGet package manager, the ability to assess the security features of GitHub repositories in the .NET ecosystem will be substantially enhanced. This should encourage repositories’ maintainers to adopt necessary improvements, leading to higher scores measured by Scorecard and improved overall security of the entire .Net ecosystem. |
!article/article.md
Outdated
|
|
||
| In conclusion, regularly running OSSF Scorecard checks helps ensure your project stays secure, up-to-date, and aligned with coding best practices. This proactive approach significantly reduces the risk of security vulnerabilities within your software ecosystem. | ||
|
|
||
| Don’t delay! Check the Scorecard of your favorite GitHub repository today and if you’d like to improve the score, take a look at the suggested mitigation steps 😊. |
There was a problem hiding this comment.
Suggested change
| Don’t delay! Check the Scorecard of your favorite GitHub repository today and if you’d like to improve the score, take a look at the suggested mitigation steps 😊. | |
| Don’t delay! Check the Scorecard of your or your dependency's GitHub repository today and if you’d like to improve the score, take a look at the suggested mitigation steps 😊. Also, you may further contribute to the Scorecard support of the .Net ecosystem by checkout out the future work section next. |
!article/article.md
Outdated
Comment on lines
172
to
174
| - OpenSSF [Scorecard repository](https://github.com/ossf/scorecard) | ||
|
|
||
| The following links capture open issues for extending Scorecard support: |
There was a problem hiding this comment.
Suggested change
| - OpenSSF [Scorecard repository](https://github.com/ossf/scorecard) | |
| The following links capture open issues for extending Scorecard support: | |
| The following links capture open issues for extending the [OpenSSF Scorecard](https://github.com/ossf/scorecard) support for the .Net and Nuget ecosystem. | |
|
|
||
| # What is supported for .NET/NuGet | ||
| For the past two years, Scorecard has started to implement dedicated support for projects within the .NET ecosystem, which use the NuGet package manager. The most recent features added are support for checking pinned dependencies when restoring packages using a [lock file](https://devblogs.microsoft.com/nuget/enable-repeatable-package-restores-using-a-lock-file/#how-to-enable-the-lock-file) and when using [Central Package Management](https://learn.microsoft.com/en-us/nuget/consume-packages/Central-Package-Management). | ||
|
|
There was a problem hiding this comment.
Suggested change
| We would like to extend a special Thank You for the team who contributes and coordinates these contributions: | |
| [Avishay Balter](https://www.linkedin.com/in/avishay-balter/) | |
| [Ioana Amarande](https://www.linkedin.com/in/ioana-amarande) | |
| [Jon Douglas](https://www.linkedin.com/in/jon-douglas-9555572b) | |
| [Liam Moat](https://www.linkedin.com/in/liammoatcom) | |
| [Melanie Guittet](https://www.linkedin.com/in/melanie-guittet/) | |
|
This pull request has been marked stale because it has been open for 10 days with no activity |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
(Is it a bug fix, feature, docs update, something else?)
What is the current behavior?
What is the new behavior (if this is a feature change)?**
Which issue(s) this PR fixes
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note(In particular, describe what changes users might need to make in their
application as a result of this pull request.)