scorecard --local . --show-details --format json | jq .
{
"date": "2023-02-22",
"repo": {
"name": "file://.",
"commit": "unknown"
},
"scorecard": {
Naveen naveensrinivasan
naveensrinivasan
/ test.go
Created
March 21, 2024 16:32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package packager | |
| import ( | |
| "reflect" | |
| "testing" | |
| "github.com/defenseunicorns/zarf/src/types" | |
| ) | |
| type generateValuesOverridesTestCase struct { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| hello I am Jeff Mendoza software engineer at kusari and welcome to the guacademy video series this is the first video in the series and I'm here to introduce you to guac guac is an open source project licensed with the Apache License it is a tool that helps you understand your software supply chain it stands for it stands for graph for understanding artifact composition it's sort of a database or graph that you add supporting tools to as part of the project and it collects data and insight on your supply chain and then you can use it for Discovery in that supply chain so you might ask how does a graph help with the these supply chain questions so we'll look at some diagrams to show you first we'll start with some s-bombs or software bill of materials these s-bombs cover a single service package or deliverable and then includes the other software pieces that are in that package so you can then load all of those s-bombs into guac and you can see that you have well a bunch of disparate graphs here with the root |
naveensrinivasan
/ metrics.go
Created
September 21, 2023 22:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ObserveHistogram - Name: http_request_duration_seconds, Value: 0.000007, Labels: [handler:HelloWorldHandler code:200] | |
| ObserveHistogram - Name: http_request_duration_seconds, Value: 0.000006, Labels: [handler:HelloWorldHandler code:200] | |
| ObserveHistogram - Name: http_request_duration_seconds, Value: 0.000003, Labels: [handler:HelloWorldHandler code:200] |
naveensrinivasan
/ scorecard-blogpost.md
Created
February 16, 2023 23:06
Naveen Srinivasan https://github.com/naveensrinivasan
Have you ever thought about how to ensure that the open source software you're using is secure? It's easy to spend more time researching restaurant reviews than evaluating the security of a new open source dependency, but the consequences of not doing so can be far more serious. Software supply chain attacks are becoming increasingly common, and attackers are targeting vulnerabilities in dependencies early in the supply chain to amplify the impact of their attacks.
Dependency security is in the spotlight, as evidenced by a 742% average annual increase in software supply chain attacks over the past three years. As a result, consumers of open source software need to be informed about the projects they rely on to safeguard their own projects against the next major supply chain attack. Is it safe to use the dependencies
naveensrinivasan
/ naveensrinivasan.md
Last active
May 1, 2023 17:24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| WITH top_repos AS ( | |
| SELECT | |
| REGEXP_REPLACE(repo.url, '^https://', '') as repo_name | |
| FROM | |
| `openssf.criticality_score_cron.criticality-score-v0` | |
| WHERE | |
| collection_date = ( | |
| SELECT | |
| MAX(collection_date) | |
| FROM |
naveensrinivasan
/ main.go
Created
October 10, 2022 23:52
An example to use Scorecard API to check for which repositories are maintained
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "encoding/json" | |
| "fmt" | |
| "io/ioutil" | |
| "net/http" | |
| "sync" | |
| "sync/atomic" | |
| ) |
naveensrinivasan
/ scorecard-action-fork-main-results.sarif
Created
April 9, 2022 22:50
scorecard-action sarif results between main and Golang-staging
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", | |
| "version": "2.1.0", | |
| "runs": [ | |
| { | |
| "automationDetails": { | |
| "id": "supply-chain/branch-protection/33f80c93dc79f860d874857c511c4d26d399609d-09 Apr 22 22:41 +0000" | |
| }, | |
| "tool": { | |
| "driver": { |
naveensrinivasan
/ Pinned-Actions.md
Created
April 3, 2022 17:22
These SHA's are git commit SHA. Most of them can be validated by looking up the tag using the API.
Here is an example of actions/setup-node@v2
https://api.github.com/repos/actions/setup-node/git/refs/tags/v2
This should provide a result like this.
{
NewerOlder