This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
DISCUSSION: improvements needed by tools scorecard uses or recommends #1352
Comments
|
SARIF dashboard: Display vulnerabilities that are ignored in pull requests github/codeql-action#811 |
|
I think I mentioned this elsewhere but since this issue is supposed to track issues in tools scorecard recommends I'd add a link to a couple of Dependabot issues that have been open for a long time and are unlikely to be fixed anytime soon in hopes it could maybe affect anything: systemd/systemd#21343 (comment) |
|
Make CodeQl or scanning results publicly available, maybe via an opt-in option #1427 (comment) |
|
Add pinning variable to GitHub starter workflows actions/starter-workflows#1301 |
|
It's a long shot but it would be great if LGTM could be used to analyze projects that aren't hosted on GitHub. From https://sourceware.org/bugzilla/show_bug.cgi?id=28659:
I'm not sure if it helps but that was the "elfutils" project, which I think is pretty critical since it's one of those dependencies that's basically everywhere (including systemd as it turned out :-)) |
|
actions/starter-workflows#1299, which may be on the way to be fixed by @varunsh-coder |
|
If it still isn't possible to figure out whether the workflow permissions are set to "Read repository contents permission" using GH API I think it should be added to the list so that scorecard wouldn't penalize projects without explicit permissions but with that flag on much. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
This thread is a collection of issues and improvements we'd like to see in the tools scorecard uses or recommends. It was suggested by @evverx
The text was updated successfully, but these errors were encountered: