Skip to content

Instantly share code, notes, and snippets.

@naveensrinivasan

naveensrinivasan/scorecard-local-run.md

Created February 22, 2023 16:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save naveensrinivasan/1c3c83febe3b2a8e127b69d4a65988e8 to your computer and use it in GitHub Desktop.
Save naveensrinivasan/1c3c83febe3b2a8e127b69d4a65988e8 to your computer and use it in GitHub Desktop.
Download ZIP
scorecard local run
Raw
scorecard-local-run.md

scorecard --local . --show-details --format json | jq .

{
  "date": "2023-02-22",
  "repo": {
    "name": "file://.",
    "commit": "unknown"
  },
  "scorecard": {
    "version": "(devel)",
    "commit": "unknown"
  },
  "score": 9,
  "checks": [
    {
      "details": null,
      "score": 10,
      "reason": "no dangerous workflow patterns detected",
      "name": "Dangerous-Workflow",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow",
        "short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
      }
    },
    {
      "details": [
        "Info: Dependabot detected: .github/dependabot.yml:1"
      ],
      "score": 10,
      "reason": "update tool detected",
      "name": "Dependency-Update-Tool",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool",
        "short": "Determines if the project uses a dependency update tool."
      }
    },
    {
      "details": [
        "Info: GitHub-owned GitHubActions are pinned",
        "Info: Third-party GitHubActions are pinned",
        "Info: Dockerfile dependencies are pinned",
        "Info: no insecure (not pinned by hash) dependency downloads found in Dockerfiles",
        "Info: no insecure (not pinned by hash) dependency downloads found in shell scripts"
      ],
      "score": 10,
      "reason": "all dependencies are pinned",
      "name": "Pinned-Dependencies",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies",
        "short": "Determines if the project has declared and pinned the dependencies of its build process."
      }
    },
    {
      "details": [
        "Info: High severity: topLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:37",
        "Info: Medium severity: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:42",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:43",
        "Info: High severity: topLevel 'contents' permission set to 'read': .github/workflows/depsreview.yml:18",
        "Info: High severity: topLevel 'contents' permission set to 'read': .github/workflows/docker.yml:16",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/docker.yml:34",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/docker.yml:56",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/docker.yml:104",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/docker.yml:152",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/docker.yml:200",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/docker.yml:248",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/docker.yml:296",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/docker.yml:344",
        "Info: High severity: topLevel 'contents' permission set to 'read': .github/workflows/goreleaser.yaml:23",
        "Info: Medium severity: jobLevel 'actions' permission set to 'read': .github/workflows/goreleaser.yaml:79",
        "Info: High severity: topLevel 'contents' permission set to 'read': .github/workflows/integration.yml:20",
        "Info: High severity: topLevel 'contents' permission set to 'read': .github/workflows/main.yml:18",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:640",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:765",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:854",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:889",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:37",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:77",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:172",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:448",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:304",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:688",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:735",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:125",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:352",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:496",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:592",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:808",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:208",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:256",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:400",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/main.yml:544",
        "Info: High severity: topLevel permissions set to 'read-all': .github/workflows/publishimage.yml:17",
        "Info: Medium severity: jobLevel 'contents' permission set to 'read': .github/workflows/publishimage.yml:31",
        "Info: High severity: topLevel permissions set to 'read-all': .github/workflows/scorecard-analysis.yml:13",
        "Info: High severity: topLevel permissions set to 'read-all': .github/workflows/slsa-goreleaser.yml:8",
        "Info: Medium severity: jobLevel 'actions' permission set to 'read': .github/workflows/slsa-goreleaser.yml:30",
        "Info: High severity: topLevel permissions set to 'read-all': .github/workflows/stale.yml:20",
        "Info: High severity: topLevel permissions set to 'read-all': .github/workflows/verify.yml:19",
        "Warn: Medium severity: jobLevel 'checks' permission set to 'write': .github/workflows/verify.yml:24: Verify which permissions are needed and consider whether you can reduce them. (High effort)"
      ],
      "score": 9,
      "reason": "non read-only tokens detected in GitHub workflows",
      "name": "Token-Permissions",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions",
        "short": "Determines if the project's workflows follow the principle of least privilege."
      }
    },
    {
      "details": [
        "Warn: Project is vulnerable to: GO-2022-0646",
        "Warn: Project is vulnerable to: GHSA-3633-5h82-39pq / GO-2022-1004",
        "Warn: Project is vulnerable to: GHSA-vvpx-j8f3-3w6h / GO-2023-1571",
        "Warn: Project is vulnerable to: GHSA-8cfg-vx93-jvxw / GO-2021-0064"
      ],
      "score": 6,
      "reason": "4 existing vulnerabilities detected",
      "name": "Vulnerabilities",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
        "short": "Determines if the project has open, known unfixed vulnerabilities."
      }
    }
  ],
  "metadata": null
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment