Skip to content

Commit

Permalink
📖 Fix documentation typos (ossf#3505)
Browse files Browse the repository at this point in the history
* fix typo

Signed-off-by: omahs <[email protected]>

* fix typos

Signed-off-by: omahs <[email protected]>

* fix typo

Signed-off-by: omahs <[email protected]>

* fix typo

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: omahs <[email protected]>

* fix typos

Signed-off-by: omahs <[email protected]>

---------

Signed-off-by: omahs <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
  • Loading branch information
omahs authored and diogoteles08 committed Nov 13, 2023
1 parent 66e5843 commit d6275d3
Show file tree
Hide file tree
Showing 4 changed files with 7 additions and 7 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ metrics. Prominent projects that use Scorecard include:

### View a Project's Score

To see scores for projects regually scanned by Scorecard, navigate to the webviewer, replacing the placeholder text with the platform, user/org, and repository name:
To see scores for projects regularly scanned by Scorecard, navigate to the webviewer, replacing the placeholder text with the platform, user/org, and repository name:
https://securityscorecards.dev/viewer/?uri=<github_or_gitlab>.com/<user_name_or_org>/<repository_name>.

For example:
Expand Down
4 changes: 2 additions & 2 deletions docs/checks.md
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ Different types of branch protection protect against different risks:

- requiring two or more reviewers protects even more from the insider risk
whereby a compromised contributor can be used by an attacker to LGTM
the attacker PR and inject a malicious code as if it was legitm.
the attacker PR and inject a malicious code as if it was legit.

- Prevent force push: prevents use of the `--force` command on public
branches, which overwrites code irrevocably. This protection prevents the
Expand Down Expand Up @@ -330,7 +330,7 @@ low score is therefore not a definitive indication that the project is at risk.

**Remediation steps**
- Signup for automatic dependency updates with one of the previously listed dependency update tools and place the config file in the locations that are recommended by these tools. Due to https://github.com/dependabot/dependabot-core/issues/2804 Dependabot can be enabled for forks where security updates have ever been turned on so projects maintaining stable forks should evaluate whether this behavior is satisfactory before turning it on.
- Unlike Dependabot, Renovate bot has support to migrate dockerfiles' dependencies from version pinning to hash pinning via the [pinDigests setting](https://docs.renovatebot.com/configuration-options/#pindigests) without aditional manual effort.
- Unlike Dependabot, Renovate bot has support to migrate dockerfiles' dependencies from version pinning to hash pinning via the [pinDigests setting](https://docs.renovatebot.com/configuration-options/#pindigests) without additional manual effort.

## Fuzzing

Expand Down
4 changes: 2 additions & 2 deletions docs/checks/internal/checks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ checks:
- >-
Unlike Dependabot, Renovate bot has support to migrate dockerfiles' dependencies from version pinning to hash pinning
via the [pinDigests setting](https://docs.renovatebot.com/configuration-options/#pindigests) without
aditional manual effort.
additional manual effort.
Binary-Artifacts:
risk: High
tags: supply-chain, security, dependencies
Expand Down Expand Up @@ -172,7 +172,7 @@ checks:
- requiring two or more reviewers protects even more from the insider risk
whereby a compromised contributor can be used by an attacker to LGTM
the attacker PR and inject a malicious code as if it was legitm.
the attacker PR and inject a malicious code as if it was legit.
- Prevent force push: prevents use of the `--force` command on public
branches, which overwrites code irrevocably. This protection prevents the
Expand Down
4 changes: 2 additions & 2 deletions docs/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ Most code scanning tools are focused on detecting specific vulnerabilities alrea

### Wasn't this project called "Scorecards" (plural)?

Yes, kind of. The project was initially called "Security Scorecards" but that form wasn't used consistently. In particular, the repo was named "scorecard" and so was the program. Over time people started referring to either form (singular and plural) and the inconsitency became prevalent. To end this situation the decision was made to consolidate over the use of the singular form in keeping with the repo and program name, drop the "Security" part and use "OpenSSF" instead to ensure uniqueness. One should therefore refer to this project as "OpenSSF Scorecard" or "Scorecard" for short.
Yes, kind of. The project was initially called "Security Scorecards" but that form wasn't used consistently. In particular, the repo was named "scorecard" and so was the program. Over time people started referring to either form (singular and plural) and the inconsistency became prevalent. To end this situation the decision was made to consolidate over the use of the singular form in keeping with the repo and program name, drop the "Security" part and use "OpenSSF" instead to ensure uniqueness. One should therefore refer to this project as "OpenSSF Scorecard" or "Scorecard" for short.

## Check-specific Questions

Expand All @@ -55,7 +55,7 @@ While it isn't currently possible to allowlist such binaries, the Scorecard team

### Code-Review: Can it ignore bot commits?

This is quite a complex question. Right now, there is no way to do that. Here are some pros and cons on allowing users to set up an ignore-list for bots.
This is quite a complex question. Right now, there is no way to do that. Here are some pros and cons of allowing users to set up an ignore-list for bots.

- Pros: Some bots run very frequently; for some projects, reviewing every change is therefore not feasible or reasonable.
- Cons: Bots can be compromised (their credentials can be compromised, for example). Or if commits are not signed, an attacker could easily send a commit spoofing the bot. This means that a bot having unsupervised write access to the repository could be a security risk.
Expand Down

0 comments on commit d6275d3

Please sign in to comment.