From 4b5cae5b12f293a3251782063ee410fd9d7a4fa5 Mon Sep 17 00:00:00 2001 From: dota17 Date: Sat, 27 Nov 2021 14:58:19 +0800 Subject: [PATCH] 1.Add the check Dangerous-Workflow 2.Fix the typo of rubygems --- README.md | 2 ++ cmd/root.go | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 50c5131a4f7..e1e083a0376 100644 --- a/README.md +++ b/README.md @@ -230,6 +230,7 @@ Tests that are rated as “High” risk are: * Signed-Releases * Token-Permissions * Vulnerabilities +* Dangerous-Workflow Tests that are rated as “Medium” risk are: * Fuzzing @@ -356,6 +357,7 @@ CI-Tests | Does the project run tests in CI, e.g. [GitHub Act CII-Best-Practices | Does the project have a [CII Best Practices Badge](https://bestpractices.coreinfrastructure.org/en)? Code-Review | Does the project require code review before code is merged? Contributors | Does the project have contributors from at least two different organizations? +Dangerous-Workflow | Does the project have GitHub Action workflows avoid dangerous patterns? Dependency-Update-Tool | Does the project use tools to help update its dependencies? Fuzzing | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz)? Maintained | Is the project maintained? diff --git a/cmd/root.go b/cmd/root.go index 5f8977890a2..08392c1b61c 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -72,7 +72,7 @@ const ( const ( scorecardLong = "A program that shows security scorecard for an open source software." scorecardUse = `./scorecard [--repo=] [--local=folder] [--checks=check1,...] - [--show-details] [--policy=file] or ./scorecard --{npm,pypi,rubgems}= + [--show-details] [--policy=file] or ./scorecard --{npm,pypi,rubygems}= [--checks=check1,...] [--show-details] [--policy=file]` scorecardShort = "Security Scorecards" )