forked from ossf/scorecard
-
Notifications
You must be signed in to change notification settings - Fork 0
/
policy.yml
108 lines (101 loc) · 3.4 KB
/
policy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
version: 1
statements:
- name: fuzzing
require:
or:
- probe: fuzzedWithOneFuzz
- probe: fuzzedWithClusterFuzzLite
- probe: fuzzedWithGoNative
- probe: fuzzedWithOSSFuzz
- probe: fuzzedWithPropertyBasedHaskell
positiveText: The project is fuzzed using one the fuzzers
negativeText: Configure one of the recognized fuzzers
risk: Medium
confidence: [Positive]
labels: [check:Fuzzing]
motivation: |
Fuzzing, or fuzz testing, is the practice of feeding unexpected or random data into a program to expose bugs.
Regular fuzzing is important to detect vulnerabilities that may be exploited by others, especially since attackers can also use
fuzzing to find the same flaws.
- name: binaryGradleSafe
require:
or:
- probe: binaryGradleNotPresent
- probe: binaryGradleActionInstalled
positiveText: The project manages Gradle wrappers safely
negativeText: Gradle wrappers not managed safely
risk: Critical
confidence: [Positive, Negative]
labels: [check:Binary-Artifacts]
motivation: todo
- name: binaryOtherNone
require:
probe: binaryOtherNotPresent
positiveText: No other binaries found.
negativeText: Binaries found.
risk: Critical
confidence: [Positive, Negative]
labels: [check:Binary-Artifacts]
motivation: todo
# - name: securityPolicyDefined
# require:
# or:
# - probe: securityPolicyPresentInRepo
# - probe: securityPolicyPresentInOrg
# positiveText: Security policy defined
# negativeText: Please define a security policy in the repo or in your org
# risk: High
# labels: [Security-Policy]
# motivation: todo
#- name: securityPolicyComplete
#require:
# and:
# - probe: securityPolicyContainsLinks
# - probe: securityPolicyContainsDisclosure
# - probe: securityPolicyContainsText
#positiveText: Security policy has complete information
#negativeText: Please update your policy with more information. todo
#risk: High
#labels: [Security-Policy]
#motivation: todo
# - name: dependencyUpdateTooling
# require:
# or:
# - probe: toolDependabotInstalled
# - probe: toolRenovateInstalled
# - probe: toolPyUpInstalled
# - probe: toolSonarTypeLiftInstalled
# positiveText: Tool to update dependencies is used
# negativeText: use a tool to updte your dependencies. Any of X
# risk: High
# confidence: [Positive]
# labels: [check:Dependency-Update-Tool]
# motivation: todo
# - name: branchProtection
# require:
# and:
# - probe: branchProtectionEnabled
# - probe: branchProtectionDeletionDisabled
# - probe: branchProtectionForcePushDisabled
# - probe: branchProtectionCheckRulesContext
# - probe: branchProtectionCodeownersFile
# - probe: branchProtectionCodeownersEnabled
# - probe: branchProtectionReviewers
# positiveText: Minimal branch protection enabled
# negativeText: Update your branch protection settings
# risk: High
# confidence: [Negative, Positive]
# labels: [check:Branch-Protection]
# motivation: todo
# - name: branchProtectionHardened
# require:
# and:
# - probe: branchProtectionDismissStaleReviewDisabled
# - probe: branchProtectionLastPushApprovalEnabled
# - probe: branchProtectionUpdateToMerge
# positiveText: Enable settings to reduce insider attacks
# negativeText: Update your branch protection settings
# risk: High
# confidence: [Negative, Positive]
# labels: [check:Branch-Protection]
# motivation: todo