naveensrinivasan

scorecard --local . --show-details --format json | jq .

{
  "date": "2023-02-22",
  "repo": {
    "name": "file://.",
    "commit": "unknown"
  },
  "scorecard": {

naveensrinivasan

Scorecard: The Key to Trusting Your Open Source Dependencies

Naveen Srinivasan https://github.com/naveensrinivasan

Have you ever thought about how to ensure that the open source software you're using is secure? It's easy to spend more time researching restaurant reviews than evaluating the security of a new open source dependency, but the consequences of not doing so can be far more serious. Software supply chain attacks are becoming increasingly common, and attackers are targeting vulnerabilities in dependencies early in the supply chain to amplify the impact of their attacks.

Dependency security is in the spotlight, as evidenced by a 742% average annual increase in software supply chain attacks over the past three years. As a result, consumers of open source software need to be informed about the projects they rely on to safeguard their own projects against the next major supply chain attack. Is it safe to use the dependencies

naveensrinivasan

Naveen Srinivasan is a contributor and maintainer of multiple http://github.com/ossf/ projects, a member and contributor to the http://github.com/sigstore organization. His contributions have earned him recognition with Google Peer Bonus awards in 2021 https://twitter.com/snaveen/status/1422921438764453897 and 2022 https://twitter.com/snaveen/status/1563194155333222400. He has consistently contributed to the open-source community for an extended period, with no gaps in activity for the past two years.In addition to his technical contributions, He is a sought-after speaker at conferences, discussing topics related to supply chain security and mitigating risks in open-source software. He can be found on Twitter (@Naveen_Srini) at https://twitter.com/Naveen_Srini_.

naveensrinivasan

WITH top_repos AS (
  SELECT
    REGEXP_REPLACE(repo.url, '^https://', '') as repo_name
  FROM
    `openssf.criticality_score_cron.criticality-score-v0`
  WHERE
    collection_date = (
    SELECT
      MAX(collection_date)
    FROM

naveensrinivasan

package main

import (
	"encoding/json"
	"fmt"
	"io/ioutil"
	"net/http"
	"sync"
	"sync/atomic"
)

naveensrinivasan

{
   "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
   "version": "2.1.0",
   "runs": [
      {
         "automationDetails": {
            "id": "supply-chain/branch-protection/33f80c93dc79f860d874857c511c4d26d399609d-09 Apr 22 22:41 +0000"
         },
         "tool": {
            "driver": {

naveensrinivasan

How do I validate these SHA?

These SHA's are git commit SHA. Most of them can be validated by looking up the tag using the API.

Here is an example of actions/setup-node@v2 https://api.github.com/repos/actions/setup-node/git/refs/tags/v2

This should provide a result like this.

{

naveensrinivasan

func removeNthFromEnd(head *ListNode, n int) *ListNode {
    cur,cur2,counter:= head,head,0
    if head == nil{
        return head
    }
    
    for cur!= nil && cur.Next != nil{
        counter+=2
        cur = cur.Next.Next
    }

naveensrinivasan

github.com/18F/identity-idp
github.com/1N3/Sn1per

naveensrinivasan

" hi there!

let mapleader = ","
map W :tabdetach<CR>
map A :tabattach<Space>
map U lastClosedTab
map O :history<Space>
map yt :duplicate<CR>
map <C-s> openSearchBar
map <C-r> openSearchBarReverse