Scorecard and Sonatype safety rating #12434
Closed
Bananeweizen
started this conversation in
Ideas
Replies: 2 comments 3 replies
-
Click for scorecard API response
|
Beta Was this translation helpful? Give feedback.
3 replies
-
I dont think it is enough work for full GSOC project. I think we can add their badge to main page badges and fix the easiest items.
I thought it is the reason we have snyk :) P.S. How come that the rating on the site is 2 / 10 but api shows |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I know that the people behind this project care a lot about best practices. I'd like to point to https://central.sonatype.dev/artifact/com.puppycrawl.tools/checkstyle/10.4 (the new Maven Central layout), which has a security rating at the right hand side, which has only 2/10 for checkstyle. I'm not exactly sure how that is calculated. The docs point to Scorecard, which you can query easily for the checkstyle project via https://api.securityscorecards.dev/. It will point out things like releases not being signed or GitHub actions not being version pinned (which allows malicious owners of a GitHub action to release new versions of GitHub actions that do bad things).
At work we meanwhile put quite some focus on "supply chain security", creating and validating SBOMs etc. Not sure if you feel this is relevant for the project, but at least you have some pointers for further investigation, if you want. :)
Beta Was this translation helpful? Give feedback.
All reactions