(ブランチの保護設定) Code-Review High 人によるコードレビューを必須としているか? (直近のコミットのApproval状態、authorとcommitterが同一か) Signed-Releases High リリース成果物に電子署名を付加しているか (直近のリリース成果物での*.sig, *.asc等の存在) Token-Permissions High ワークフローで指定されたトークンが最低権限の 原則に従っているか (workflowのpermissionsの指定) Vulnerabilities High プロジェクト及びその依存関係に未修正の脆弱性 が存在しているか (OSVの脆弱性データベース) GitLab LOCAL
Code-Review 8 Found 8/9 approved changesets Vulnerabilities 8 2 existing vulnerabilities detected Warn: Project is vulnerable to: GO-2022-0635 Warn: Project is vulnerable to: GO-2022-0646 Binary-Artifacts 10 No binaries found in the repo Dependency-Update-Tool 10 Detected update tool: Dependabot: .github/dependabot.yml:1 Maintained 10 30 commit(s) and 18 issue activity found in the last 90 days Signed-Releases 10 5 out of the last 5 releases have a total of 5 signed artifacts. Info: provenance for release artifact: multiple.intoto.jsonl: https://api.github.com/repos/ossf/scorecard/releases/assets/180656635 Token-Permissions 10 Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:45….
detected 56 out of 56 GitHub-owned GitHubAction dependencies pinned 44 out of 46 third-party GitHubAction dependencies pinned 25 out of 25 containerImage dependencies pinned 1 out of 1 goCommand dependencies pinned Fuzzing 10 Project is fuzzed OSSFuzz integration found GoBuiltInFuzzer integration found: checks/raw/fuzzing_test.go:179 Packaging 10 Packaging workflow detected SAST 10 SAST tool is run on all commits SAST configuration detected: CodeQL all commits (29) are checked with a SAST tool Security-Policy 10 security policy file detected: SECURITY.md:1 Found linked content: SECURITY.md:1 Found disclosure, vulnerability, and/or timelines in security policy CII-Best-Practices 5 badge detected: Passing
PRs checked by a CI test Contributors 10 project has 67 contributing companies or organizations License 10 license file detected project has a license file: LICENSE:0 FSF or OSI recognized license: Apache License 2.0: LICENSE:0 Branch-Protection --