Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

📖 Add the check Dangerous-Workflow #1341

Merged
merged 1 commit into from
Dec 1, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,7 @@ Tests that are rated as “High” risk are:
* Signed-Releases
* Token-Permissions
* Vulnerabilities
* Dangerous-Workflow

Tests that are rated as “Medium” risk are:
* Fuzzing
Expand Down Expand Up @@ -356,6 +357,7 @@ CI-Tests | Does the project run tests in CI, e.g. [GitHub Act
CII-Best-Practices | Does the project have a [CII Best Practices Badge](https://bestpractices.coreinfrastructure.org/en)?
Code-Review | Does the project require code review before code is merged?
Contributors | Does the project have contributors from at least two different organizations?
Dangerous-Workflow | Does the project have GitHub Action workflows avoid dangerous patterns?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:
"Does the project have GitHub Action workflows that avoid dangerous patterns?"

Dependency-Update-Tool | Does the project use tools to help update its dependencies?
Fuzzing | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz)?
Maintained | Is the project maintained?
Expand Down
2 changes: 1 addition & 1 deletion cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ const (
const (
scorecardLong = "A program that shows security scorecard for an open source software."
scorecardUse = `./scorecard [--repo=<repo_url>] [--local=folder] [--checks=check1,...]
[--show-details] [--policy=file] or ./scorecard --{npm,pypi,rubgems}=<package_name>
[--show-details] [--policy=file] or ./scorecard --{npm,pypi,rubygems}=<package_name>
[--checks=check1,...] [--show-details] [--policy=file]`
scorecardShort = "Security Scorecards"
)
Expand Down