├── .codecov.yml ├── .github ├── CODEOWNERS ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── PULL_REQUEST_TEMPLATE.md ├── dependabot.yml ├── security-insights.yml └── workflows │ ├── codeql-analysis.yml │ ├── depsreview.yml │ ├── docker.yml │ ├── gitlab.yml │ ├── goreleaser.yaml │ ├── integration.yml │ ├── lint.yml │ ├── main.yml │ ├── osps-baseline.yml │ ├── publishimage.yml │ ├── scdiff.yml │ ├── scorecard-analysis.yml │ ├── stale.yml │ └── verify.yml ├── .gitignore ├── .golangci.yml ├── .goreleaser.yml ├── .ko.yaml ├── CHARTER.md ├── CHARTER.pdf ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── CONTRIBUTOR_LADDER.md ├── Dockerfile ├── LICENSE ├── MAINTAINERS.md ├── Makefile ├── README.md ├── RELEASE.md ├── SECURITY.md ├── artwork ├── openssf_security.png ├── openssf_security.svg ├── openssf_security_alt.png ├── openssf_security_alt.svg ├── openssf_security_alt_compressed.png └── openssf_security_compressed.png ├── attestor ├── Dockerfile ├── README.md ├── cloudbuild.yaml ├── command │ ├── check.go │ ├── cli.go │ ├── cli_test.go │ └── sign.go ├── policy │ ├── attestation_policy.go │ ├── attestation_policy_test.go │ └── testdata │ │ ├── policy-binauthz-allowlist.yaml │ │ ├── policy-binauthz-invalid.yaml │ │ ├── policy-binauthz-missingparam.yaml │ │ └── policy-binauthz.yaml └── root.go ├── checker ├── check_request.go ├── check_request_test.go ├── check_result.go ├── check_result_test.go ├── check_runner.go ├── client.go ├── client_test.go ├── detail_logger.go ├── detail_logger_impl.go ├── detail_logger_impl_test.go ├── raw_result.go └── raw_result_test.go ├── checks ├── all_checks.go ├── all_checks_test.go ├── binary_artifact.go ├── binary_artifact_test.go ├── branch_protection.go ├── branch_protection_test.go ├── ci_tests.go ├── ci_tests_test.go ├── cii_best_practices.go ├── cii_best_practices_test.go ├── code_review.go ├── code_review_test.go ├── contributors.go ├── contributors_test.go ├── dangerous_workflow.go ├── dangerous_workflow_test.go ├── dependency_update_tool.go ├── dependency_update_tool_test.go ├── errors.go ├── evaluation │ ├── binary_artifacts.go │ ├── binary_artifacts_test.go │ ├── branch_protection.go │ ├── branch_protection_test.go │ ├── ci_tests.go │ ├── ci_tests_test.go │ ├── cii_best_practices.go │ ├── cii_best_practices_test.go │ ├── code_review.go │ ├── code_review_test.go │ ├── contributors.go │ ├── contributors_test.go │ ├── dangerous_workflow.go │ ├── dangerous_workflow_test.go │ ├── dependency_update_tool.go │ ├── dependency_update_tool_test.go │ ├── fuzzing.go │ ├── fuzzing_test.go │ ├── license.go │ ├── license_test.go │ ├── maintained.go │ ├── maintained_test.go │ ├── packaging.go │ ├── packaging_test.go │ ├── permissions.go │ ├── pinned_dependencies.go │ ├── pinned_dependencies_test.go │ ├── sast.go │ ├── sast_test.go │ ├── sbom.go │ ├── sbom_test.go │ ├── security_policy.go │ ├── security_policy_test.go │ ├── signed_releases.go │ ├── signed_releases_test.go │ ├── vulnerabilities.go │ ├── vulnerabilities_test.go │ ├── webhooks.go │ └── webhooks_test.go ├── fileparser │ ├── errors.go │ ├── github_workflow.go │ ├── github_workflow_test.go │ ├── gitlab_workflow.go │ ├── listing.go │ └── listing_test.go ├── fuzzing.go ├── fuzzing_test.go ├── license.go ├── license_test.go ├── maintained.go ├── maintained_test.go ├── packaging.go ├── permissions.go ├── permissions_test.go ├── pinned_dependencies.go ├── pinned_dependencies_test.go ├── probes.go ├── raw │ ├── binary_artifact.go │ ├── binary_artifact_test.go │ ├── branch_protection.go │ ├── branch_protection_test.go │ ├── ci_tests.go │ ├── cii_best_practices.go │ ├── code_review.go │ ├── code_review_test.go │ ├── contributors.go │ ├── contributors_test.go │ ├── dangerous_workflow.go │ ├── dangerous_workflow_test.go │ ├── dependency_update_tool.go │ ├── dependency_update_tool_test.go │ ├── errors.go │ ├── fuzzing.go │ ├── fuzzing_test.go │ ├── github │ │ └── packaging.go │ ├── gitlab │ │ ├── packaging.go │ │ ├── packaging_test.go │ │ └── testdata │ │ │ ├── docker.yaml │ │ │ ├── no-publishing.yaml │ │ │ ├── nuget.yaml │ │ │ ├── poetry.yaml │ │ │ └── twine.yaml │ ├── license.go │ ├── license_test.go │ ├── maintained.go │ ├── maintained_test.go │ ├── permissions.go │ ├── pinned_dependencies.go │ ├── pinned_dependencies_test.go │ ├── sast.go │ ├── sast_test.go │ ├── sbom.go │ ├── sbom_test.go │ ├── security_policy.go │ ├── security_policy_test.go │ ├── shell_download_validate.go │ ├── shell_download_validate_test.go │ ├── signed_releases.go │ ├── testdata │ │ ├── .github │ │ │ └── workflows │ │ │ │ ├── airflows-codeql.yaml │ │ │ │ ├── github-hadolint-workflow.yaml │ │ │ │ ├── github-pysa-workflow.yaml │ │ │ │ ├── github-qodana-workflow.yaml │ │ │ │ ├── github-workflow-comments.yaml │ │ │ │ ├── github-workflow-curl-default.yaml │ │ │ │ ├── github-workflow-curl-no-default.yaml │ │ │ │ ├── github-workflow-download-lines.yaml │ │ │ │ ├── github-workflow-empty.yaml │ │ │ │ ├── github-workflow-job-uses.yaml │ │ │ │ ├── github-workflow-matrix-expression.yaml │ │ │ │ ├── github-workflow-multiple-unpinned-uses.yaml │ │ │ │ ├── github-workflow-pkg-managers.yaml │ │ │ │ ├── github-workflow-snyk.yaml │ │ │ │ ├── github-workflow-unknown-os.yaml │ │ │ │ ├── github-workflow-wget-across-steps.yaml │ │ │ │ ├── pom.xml │ │ │ │ ├── workflow-anchor.yaml │ │ │ │ ├── workflow-local-action.yaml │ │ │ │ ├── workflow-mix-github-and-non-github-not-pinned.yaml │ │ │ │ ├── workflow-mix-github-and-non-github-pinned.yaml │ │ │ │ ├── workflow-mix-pinned-and-non-pinned-github.yaml │ │ │ │ ├── workflow-mix-pinned-and-non-pinned-non-github.yaml │ │ │ │ ├── workflow-non-github-pinned.yaml │ │ │ │ ├── workflow-not-pinned.yaml │ │ │ │ └── workflow-pinned.yaml │ │ ├── Directory.CPMFalse.packages.props │ │ ├── Directory.Pinned.packages.props │ │ ├── Directory.PinnedMultipleGroups.packages.props │ │ ├── Directory.Undeclared.packages.props │ │ ├── Directory.UndeclaredVersions.packages.props │ │ ├── Directory.UnpinnedMultipleGroups.packages.props │ │ ├── Directory.UnpinnedVersions.packages.props │ │ ├── Dockerfile-args │ │ ├── Dockerfile-aws-file │ │ ├── Dockerfile-base │ │ ├── Dockerfile-comments │ │ ├── Dockerfile-curl-file-sh │ │ ├── Dockerfile-curl-sh │ │ ├── Dockerfile-download-heredoc │ │ ├── Dockerfile-download-lines │ │ ├── Dockerfile-download-multi-runs │ │ ├── Dockerfile-empty │ │ ├── Dockerfile-empty-run-array │ │ ├── Dockerfile-from-scratch │ │ ├── Dockerfile-gsutil-file │ │ ├── Dockerfile-invalid │ │ ├── Dockerfile-no-curl-sh │ │ ├── Dockerfile-no-curl-sh-with-parser-error │ │ ├── Dockerfile-not-pinned │ │ ├── Dockerfile-not-pinned-as │ │ ├── Dockerfile-not-pinned-as-simple │ │ ├── Dockerfile-not-pinned-with-parser-error │ │ ├── Dockerfile-pinned │ │ ├── Dockerfile-pinned-arg │ │ ├── Dockerfile-pinned-as │ │ ├── Dockerfile-pinned-as-without-hash │ │ ├── Dockerfile-pkg-managers │ │ ├── Dockerfile-proc-subs │ │ ├── Dockerfile-script-ok │ │ ├── Dockerfile-some-python │ │ ├── Dockerfile-wget-bin-sh │ │ ├── Dockerfile-wget-file │ │ ├── dotnet-empty.csproj │ │ ├── dotnet-invalid.csproj │ │ ├── dotnet-locked-mode-disabled-implicitly.csproj │ │ ├── dotnet-locked-mode-disabled.csproj │ │ ├── dotnet-locked-mode-enabled.csproj │ │ ├── script-bash │ │ ├── script-comments.sh │ │ ├── script-empty.sh │ │ ├── script-free-from-download.sh │ │ ├── script-invalid.sh │ │ ├── script-pkg-managers │ │ ├── script-wget-pinned │ │ ├── shell-download-lines.sh │ │ ├── shell_file_awk_shebang.sh │ │ ├── shell_file_bash_shebang1.sh │ │ ├── shell_file_bash_shebang2.sh │ │ ├── shell_file_bash_shebang3.sh │ │ ├── shell_file_mksh_shebang.sh │ │ ├── shell_file_no_shebang.sh │ │ ├── shell_file_sh_shebang.sh │ │ ├── shell_file_zsh_shebang.sh │ │ └── vendor │ │ │ └── Dockerfile-not-pinned-as │ ├── vulnerabilities.go │ ├── vulnerabilities_test.go │ ├── webhook.go │ └── webhooks_test.go ├── sast.go ├── sast_test.go ├── sbom.go ├── sbom_test.go ├── security_policy.go ├── security_policy_test.go ├── signed_releases.go ├── signed_releases_test.go ├── testdata │ ├── .github │ │ └── workflows │ │ │ ├── airflow-codeql-workflow.yaml │ │ │ ├── github-hadolint-workflow.yaml │ │ │ ├── github-workflow-dangerous-pattern-default-checkout.yml │ │ │ ├── github-workflow-dangerous-pattern-safe-trigger.yml │ │ │ ├── github-workflow-dangerous-pattern-trusted-checkout.yml │ │ │ ├── github-workflow-dangerous-pattern-trusted-script-injection.yml │ │ │ ├── github-workflow-dangerous-pattern-untrusted-checkout-workflow_run.yml │ │ │ ├── github-workflow-dangerous-pattern-untrusted-checkout.yml │ │ │ ├── github-workflow-dangerous-pattern-untrusted-inline-script-injection.yml │ │ │ ├── github-workflow-dangerous-pattern-untrusted-multiple-script-injection.yml │ │ │ ├── github-workflow-dangerous-pattern-untrusted-script-injection-wildcard.yml │ │ │ ├── github-workflow-dangerous-pattern-untrusted-script-injection.yml │ │ │ ├── github-workflow-packaging-cargo.yaml │ │ │ ├── github-workflow-packaging-docker-action.yaml │ │ │ ├── github-workflow-packaging-docker-push.yaml │ │ │ ├── github-workflow-packaging-elixir.yaml │ │ │ ├── github-workflow-packaging-gem.yaml │ │ │ ├── github-workflow-packaging-go.yaml │ │ │ ├── github-workflow-packaging-gradle.yaml │ │ │ ├── github-workflow-packaging-maven-multi-line.yaml │ │ │ ├── github-workflow-packaging-maven.yaml │ │ │ ├── github-workflow-packaging-npm-github.yaml │ │ │ ├── github-workflow-packaging-npm.yaml │ │ │ ├── github-workflow-packaging-nuget.yaml │ │ │ ├── github-workflow-packaging-pypi-failing.yaml │ │ │ ├── github-workflow-packaging-pypi-minimal.yaml │ │ │ ├── github-workflow-packaging-pypi.yaml │ │ │ ├── github-workflow-packaging-python-semantic-release.yaml │ │ │ ├── github-workflow-packaging-sbt-ci-release.yaml │ │ │ ├── github-workflow-packaging-semantic-release.yaml │ │ │ ├── github-workflow-permissions-absent.yaml │ │ │ ├── github-workflow-permissions-actions.yaml │ │ │ ├── github-workflow-permissions-contents-writes-no-release.yaml │ │ │ ├── github-workflow-permissions-contents-writes-release-mvn-release.yaml │ │ │ ├── github-workflow-permissions-contents-writes-release-semantic-release-pnpm.yaml │ │ │ ├── github-workflow-permissions-contents-writes-release-semantic-release-yarn.yaml │ │ │ ├── github-workflow-permissions-contents-writes-release-semantic-release.yaml │ │ │ ├── github-workflow-permissions-contents-writes-release.yaml │ │ │ ├── github-workflow-permissions-contents.yaml │ │ │ ├── github-workflow-permissions-gh-pages.yaml │ │ │ ├── github-workflow-permissions-jobs-only.yaml │ │ │ ├── github-workflow-permissions-none.yaml │ │ │ ├── github-workflow-permissions-nones.yaml │ │ │ ├── github-workflow-permissions-packages-writes.yaml │ │ │ ├── github-workflow-permissions-packages.yaml │ │ │ ├── github-workflow-permissions-readall.yaml │ │ │ ├── github-workflow-permissions-reads.yaml │ │ │ ├── github-workflow-permissions-run-codeql-write.yaml │ │ │ ├── github-workflow-permissions-run-level-only.yaml │ │ │ ├── github-workflow-permissions-run-multiple-writes.yaml │ │ │ ├── github-workflow-permissions-run-no-codeql-write.yaml │ │ │ ├── github-workflow-permissions-run-package-workflow-write.yaml │ │ │ ├── github-workflow-permissions-run-package-write.yaml │ │ │ ├── github-workflow-permissions-run-write-codeql-comment.yaml │ │ │ ├── github-workflow-permissions-run-writes-2.yaml │ │ │ ├── github-workflow-permissions-run-writes.yaml │ │ │ ├── github-workflow-permissions-secevent-deployments.yaml │ │ │ ├── github-workflow-permissions-secevent-known-actions.yaml │ │ │ ├── github-workflow-permissions-status-checks.yaml │ │ │ ├── github-workflow-permissions-top-level-only.yaml │ │ │ ├── github-workflow-permissions-writeall.yaml │ │ │ ├── github-workflow-permissions-writes.yaml │ │ │ ├── github-workflow-sast-codeql.yaml │ │ │ ├── github-workflow-sast-no-codeql.yaml │ │ │ ├── github-workflow-shells-all-windows-bash.yaml │ │ │ ├── github-workflow-shells-all-windows-matrix-include-empty.yaml │ │ │ ├── github-workflow-shells-all-windows-matrix-include.yaml │ │ │ ├── github-workflow-shells-all-windows-matrix.yaml │ │ │ ├── github-workflow-shells-all-windows.yaml │ │ │ ├── github-workflow-shells-default-macos.yaml │ │ │ ├── github-workflow-shells-default-ubuntu.yaml │ │ │ ├── github-workflow-shells-default-windows.yaml │ │ │ ├── github-workflow-shells-runner-windows-ubuntu.yaml │ │ │ ├── github-workflow-shells-specified-job-step.yaml │ │ │ ├── github-workflow-shells-specified-job-windows.yaml │ │ │ ├── github-workflow-shells-specified-job.yaml │ │ │ ├── github-workflow-shells-specified-step.yaml │ │ │ ├── github-workflow-shells-two-shells.yaml │ │ │ ├── github-workflow-shells-windows-bash.yaml │ │ │ └── spicedb-release.yaml │ ├── Dockerfile-pinned-without-hash │ ├── binaryartifacts │ │ ├── executables │ │ │ └── darwin-arm64-bt │ │ ├── jars │ │ │ ├── aws-java-sdk-core-1.11.571.jar │ │ │ └── gradle-wrapper.jar │ │ ├── printable.lib │ │ ├── wasms │ │ │ └── simple.wasm │ │ └── workflows │ │ │ ├── invalid.yaml │ │ │ ├── nonverify.yaml │ │ │ ├── verify-new-gradle-name.yaml │ │ │ └── verify.yaml │ ├── licensedir │ │ ├── withlicense │ │ │ └── LICENSE │ │ └── withoutlicense │ │ │ └── README.md │ ├── pom-1line.xml │ ├── pom-2lines.xml │ ├── script-sh │ ├── script.sh │ └── securitypolicy │ │ ├── 00_1byte │ │ ├── 00_empty │ │ ├── 03_securitypolicy │ │ ├── 03_textOnly │ │ ├── 04_textAndDisclosureVulns │ │ ├── 06_emailOnly │ │ ├── 06_urlAndEmailOnly │ │ ├── 06_urlOnly │ │ ├── 09_linkedContentAndText │ │ ├── 10_linkedContentAndTextAndDisclosureVulns │ │ ├── 10_realworld │ │ └── 10_realworldtwo ├── vulnerabilities.go ├── vulnerabilities_test.go ├── webhook.go ├── webhook_test.go └── write.md ├── clients ├── azuredevopsrepo │ ├── audit.go │ ├── audit_test.go │ ├── azure_devops_suite_test.go │ ├── branches.go │ ├── branches_test.go │ ├── builds.go │ ├── builds_e2e_test.go │ ├── builds_test.go │ ├── client.go │ ├── client_test.go │ ├── commits.go │ ├── commits_test.go │ ├── const.go │ ├── contributors.go │ ├── contributors_test.go │ ├── languages.go │ ├── languages_test.go │ ├── policy.go │ ├── policy_test.go │ ├── repo.go │ ├── repo_test.go │ ├── search.go │ ├── search_commits.go │ ├── search_commits_test.go │ ├── search_e2e_test.go │ ├── search_test.go │ ├── testdata │ │ └── basic.zip │ ├── webhooks.go │ ├── webhooks_test.go │ ├── work_items.go │ ├── work_items_test.go │ ├── zip.go │ └── zip_test.go ├── branch.go ├── checkruns.go ├── cii_blob_client.go ├── cii_client.go ├── cii_http_client.go ├── cii_response.go ├── cii_response_test.go ├── commit.go ├── git │ ├── client.go │ ├── client_test.go │ ├── e2e_test.go │ └── gitrepo_suite_test.go ├── githubrepo │ ├── branches.go │ ├── branches_e2e_test.go │ ├── branches_test.go │ ├── checkruns.go │ ├── checkruns_e2e_test.go │ ├── checkruns_test.go │ ├── client.go │ ├── contributors.go │ ├── contributors_e2e_test.go │ ├── contributors_test.go │ ├── copy.go │ ├── copy_test.go │ ├── githubrepo_suite_test.go │ ├── graphql.go │ ├── graphql_e2e_test.go │ ├── graphql_test.go │ ├── internal │ │ └── fnmatch │ │ │ ├── fnmatch.go │ │ │ └── fnmatch_test.go │ ├── languages.go │ ├── languages_e2e_test.go │ ├── licenses.go │ ├── licenses_e2e_test.go │ ├── releases.go │ ├── releases_e2e_test.go │ ├── repo.go │ ├── repo_test.go │ ├── roundtripper │ │ ├── census.go │ │ ├── rate_limit.go │ │ ├── rate_limit_test.go │ │ ├── roundtripper.go │ │ ├── tokens │ │ │ ├── accessor.go │ │ │ ├── accessor_test.go │ │ │ ├── round_robin.go │ │ │ ├── round_robin_test.go │ │ │ ├── rpc.go │ │ │ ├── rpc_client.go │ │ │ ├── rpc_test.go │ │ │ └── server │ │ │ │ ├── Dockerfile │ │ │ │ ├── cloudbuild.yaml │ │ │ │ └── main.go │ │ └── transport.go │ ├── search.go │ ├── searchCommits.go │ ├── searchCommits_test.go │ ├── search_test.go │ ├── stats │ │ └── stats.go │ ├── statuses.go │ ├── statuses_e2e_test.go │ ├── tarball.go │ ├── tarball_test.go │ ├── testdata │ │ ├── basic.tar.gz │ │ └── valid-webhook.json │ ├── webhook.go │ ├── webhook_test.go │ └── workflows.go ├── gitlabrepo │ ├── branches.go │ ├── branches_e2e_test.go │ ├── branches_test.go │ ├── checkruns.go │ ├── checkruns_test.go │ ├── client.go │ ├── client_e2e_test.go │ ├── client_test.go │ ├── commits.go │ ├── commits_e2e_test.go │ ├── commits_test.go │ ├── contributors.go │ ├── contributors_test.go │ ├── gitlab_suite_test.go │ ├── graphql.go │ ├── graphql_e2e_test.go │ ├── issues.go │ ├── issues_test.go │ ├── languages.go │ ├── languages_e2e_test.go │ ├── licenses.go │ ├── project.go │ ├── project_e2e_test.go │ ├── releases.go │ ├── releases_e2e_test.go │ ├── repo.go │ ├── repo_test.go │ ├── search.go │ ├── searchCommits.go │ ├── searchCommits_test.go │ ├── search_test.go │ ├── statuses.go │ ├── statuses_test.go │ ├── tarball.go │ ├── tarball_e2e_test.go │ ├── tarball_test.go │ ├── testdata │ │ ├── basic.tar.gz │ │ ├── empty-response │ │ ├── valid-checkruns │ │ ├── valid-commits │ │ ├── valid-issues │ │ ├── valid-repo-members │ │ ├── valid-search-result │ │ ├── valid-search-result-1 │ │ ├── valid-status │ │ └── valid-webhook │ ├── webhook.go │ ├── webhook_test.go │ ├── workflow_e2e_test.go │ └── workflows.go ├── issue.go ├── languages.go ├── licenses.go ├── localdir │ ├── client.go │ ├── client_test.go │ ├── repo.go │ └── testdata │ │ └── repo0 │ │ ├── dir1 │ │ ├── dir2 │ │ │ └── file2 │ │ └── file1 │ │ └── file0 ├── mockclients │ ├── cii_client.go │ ├── license.txt │ ├── projectpackageclient.go │ ├── repo.go │ ├── repo_client.go │ └── vulnerabilities.go ├── ossfuzz │ ├── client.go │ ├── client_test.go │ └── testdata │ │ ├── invalid.json │ │ └── status.json ├── osv.go ├── osv_test.go ├── pull_request.go ├── release.go ├── repo.go ├── repo_client.go ├── search.go ├── statuses.go ├── user.go ├── vulnerabilities.go ├── webhook.go └── workflows.go ├── cloudbuild ├── README.md ├── scorecard-tag.yaml └── scorecard.yaml ├── cmd ├── internal │ ├── nuget │ │ ├── client.go │ │ ├── client_test.go │ │ ├── nuget_mockclient.go │ │ └── testdata │ │ │ ├── index.json │ │ │ ├── index_bad_package_base.json │ │ │ ├── index_bad_registration_base.json │ │ │ ├── package_registration_index_all_not_listed.json │ │ │ ├── package_registration_index_default_listed_true.json │ │ │ ├── package_registration_index_four_digit_version.json │ │ │ ├── package_registration_index_marshal_error.json │ │ │ ├── package_registration_index_metadata_version.json │ │ │ ├── package_registration_index_multiple.json │ │ │ ├── package_registration_index_multiple_last.json │ │ │ ├── package_registration_index_multiple_remote.json │ │ │ ├── package_registration_index_pre_release_and_metadata_version.json │ │ │ ├── package_registration_index_pre_release_version.json │ │ │ ├── package_registration_index_single.json │ │ │ ├── package_registration_index_with_not_listed.json │ │ │ ├── package_registration_page_one.json │ │ │ ├── package_registration_page_two.json │ │ │ ├── package_registration_page_two_not_listed.json │ │ │ ├── package_spec.xml │ │ │ ├── package_spec_error.xml │ │ │ ├── package_spec_four_digit_version.xml │ │ │ ├── package_spec_git_ending.xml │ │ │ ├── package_spec_project_url.xml │ │ │ ├── package_spec_project_url_git_ending.xml │ │ │ ├── package_spec_project_url_gitlab.xml │ │ │ ├── package_spec_project_url_not_supported.xml │ │ │ └── package_spec_trailing_slash.xml │ ├── org │ │ ├── org.go │ │ └── org_test.go │ ├── packagemanager │ │ ├── client.go │ │ ├── client_test.go │ │ └── packagemanager_mockclient.go │ └── scdiff │ │ ├── app │ │ ├── compare.go │ │ ├── compare │ │ │ ├── compare.go │ │ │ └── compare_test.go │ │ ├── compare_test.go │ │ ├── format │ │ │ ├── format.go │ │ │ └── format_test.go │ │ ├── generate.go │ │ ├── generate_test.go │ │ ├── root.go │ │ ├── runner │ │ │ ├── runner.go │ │ │ └── runner_test.go │ │ ├── stats.go │ │ └── stats_test.go │ │ └── main.go ├── package_managers.go ├── package_managers_test.go ├── root.go └── serve.go ├── codeql.js ├── config ├── README.md ├── annotations.go ├── config.go ├── config_test.go └── testdata │ ├── all_checks.yml │ ├── all_reasons.yml │ ├── invalid_check.yml │ ├── invalid_reason.yml │ ├── multiple_annotations.yml │ └── single_check.yml ├── cron ├── cloudbuild │ ├── cii.yaml │ ├── controller.yaml │ ├── transfer.yaml │ ├── webhook.release.yaml │ └── worker.yaml ├── config │ ├── config.go │ ├── config.yaml │ ├── config_test.go │ └── testdata │ │ ├── basic.yaml │ │ ├── missing_field.yaml │ │ └── optional_maps.yaml ├── data │ ├── README.md │ ├── blob.go │ ├── blob_test.go │ ├── format.go │ ├── format_test.go │ ├── iterator.go │ ├── iterator_test.go │ ├── metadata.pb.go │ ├── metadata.proto │ ├── request.pb.go │ ├── request.proto │ ├── summary.go │ ├── summary_test.go │ ├── testdata │ │ ├── basic-gitlab-only.csv │ │ ├── basic-with-gitlab.csv │ │ ├── basic.csv │ │ ├── blob_test │ │ │ ├── key1.txt │ │ │ ├── key2.txt │ │ │ ├── key3.txt │ │ │ └── subdir │ │ │ │ ├── key4.txt │ │ │ │ └── nested │ │ │ │ └── key5.txt │ │ ├── comment.csv │ │ ├── empty_row.csv │ │ ├── extra_column.csv │ │ ├── failing_urls.csv │ │ ├── ignore_header.csv │ │ ├── no_header.csv │ │ ├── only_header.csv │ │ ├── split_file.csv │ │ ├── split_file_empty.csv │ │ └── summary_test │ │ │ ├── basic │ │ │ ├── 2022.09.19 │ │ │ │ └── 020001 │ │ │ │ │ ├── .shard_metadata │ │ │ │ │ ├── .transfer_complete │ │ │ │ │ ├── shard-0000000 │ │ │ │ │ └── shard-0000001 │ │ │ └── 2022.09.26 │ │ │ │ └── 020003 │ │ │ │ ├── .shard_metadata │ │ │ │ ├── shard-0000000 │ │ │ │ ├── shard-0000001 │ │ │ │ └── shard-1234567 │ │ │ └── invalid │ │ │ └── unknown_file │ ├── writer.go │ └── writer_test.go ├── internal │ ├── bq │ │ ├── Dockerfile │ │ ├── main.go │ │ └── transfer.go │ ├── cii │ │ ├── Dockerfile │ │ └── main.go │ ├── controller │ │ ├── Dockerfile │ │ ├── bucket.go │ │ ├── bucket_test.go │ │ ├── main.go │ │ └── testdata │ │ │ └── getPrefix │ │ │ └── marker │ ├── data │ │ ├── add │ │ │ ├── main.go │ │ │ ├── main_test.go │ │ │ └── testdata │ │ │ │ ├── add_metadata.csv │ │ │ │ ├── no_change.csv │ │ │ │ ├── skip_duplicates.csv │ │ │ │ ├── skip_empty.csv │ │ │ │ ├── skip_empty_2.csv │ │ │ │ └── skip_latest.csv │ │ ├── gitlab-projects-releasetest.csv │ │ ├── gitlab-projects.csv │ │ ├── projects.csv │ │ └── validate │ │ │ └── main.go │ ├── emulator │ │ ├── README.md │ │ ├── config.yaml │ │ ├── fakegcs │ │ │ ├── ossf-scorecard-cii-data │ │ │ │ └── .gitignore │ │ │ ├── ossf-scorecard-cron-results │ │ │ │ └── .gitignore │ │ │ ├── ossf-scorecard-data2 │ │ │ │ └── .gitignore │ │ │ └── ossf-scorecard-rawdata │ │ │ │ └── .gitignore │ │ └── projects.csv │ ├── format │ │ ├── bq.raw.schema │ │ ├── json.go │ │ ├── json.raw.schema │ │ ├── json.v2.schema │ │ ├── json_raw_results.go │ │ ├── json_raw_results_test.go │ │ ├── json_test.go │ │ ├── mock_doc.go │ │ ├── schema_gen.go │ │ ├── schema_gen_test.go │ │ └── testdata │ │ │ ├── bq-valid.schema │ │ │ ├── check1.json │ │ │ ├── check2.json │ │ │ ├── check3.json │ │ │ ├── check4.json │ │ │ ├── check5.json │ │ │ ├── check6.json │ │ │ └── valid.schema │ ├── pubsub │ │ ├── publisher.go │ │ ├── publisher_test.go │ │ ├── subscriber.go │ │ ├── subscriber_gcs.go │ │ ├── subscriber_gocloud.go │ │ └── subscriber_gocloud_test.go │ ├── shuffle │ │ └── main.go │ ├── webhook │ │ ├── Dockerfile │ │ └── main.go │ └── worker │ │ ├── Dockerfile │ │ └── main.go ├── k8s │ ├── README.md │ ├── auth.yaml │ ├── cii.yaml │ ├── controller.release.yaml │ ├── controller.yaml │ ├── transfer-raw.yaml │ ├── transfer.release-raw.yaml │ ├── transfer.release.yaml │ ├── transfer.yaml │ ├── webhook.release.yaml │ ├── worker.release.yaml │ └── worker.yaml ├── monitoring │ ├── exporter.go │ └── printer.go └── worker │ ├── worker.go │ └── worker_test.go ├── docs ├── beginner-checks.md ├── checks.md ├── checks │ ├── dependencyupdatetool │ │ └── README.md │ ├── doc.go │ ├── fuzzing │ │ └── README.md │ ├── impl.go │ ├── internal │ │ ├── checks.yaml │ │ ├── generate │ │ │ └── main.go │ │ ├── reader.go │ │ └── validate │ │ │ └── main.go │ └── sast │ │ └── README.md ├── design │ ├── images │ │ ├── branch-protection-settings-admin-token.png │ │ ├── branch-protection-settings-non-admin-token.png │ │ ├── scorecard_architecture_diagram.svg │ │ ├── scorecard_denormalization.png │ │ ├── scorecard_limitation_nested_fields.png │ │ ├── scorecard_mapreduce_diagram.svg │ │ └── scorecard_release_process_diagram.svg │ └── scalable_scorecard.md ├── faq.md ├── probes.md ├── probes │ └── internal │ │ └── generate │ │ └── main.go └── repositories.md ├── e2e ├── attestor_policy_test.go ├── binary_artifacts_test.go ├── branch_protection_test.go ├── ci_tests_test.go ├── cii_best_practices_test.go ├── code_review_test.go ├── config_test.go ├── contributors_test.go ├── dangerous_workflow_test.go ├── dependency_update_tool_test.go ├── depsdev_test.go ├── e2e_suite_test.go ├── fuzzing_test.go ├── license_test.go ├── maintained_test.go ├── packaging_test.go ├── permissions_test.go ├── pinned_dependencies_test.go ├── sast_test.go ├── searchCommits_test.go ├── security_policy_test.go ├── signedreleases_test.go ├── vulnerabilities_test.go └── workflow_test.go ├── errors ├── errors.md ├── internal.go ├── internal_test.go ├── public.go └── public_test.go ├── finding ├── finding.go ├── finding_test.go ├── probe.go ├── probe_test.go └── testdata │ ├── all-fields.yml │ ├── effort-high.yml │ ├── effort-low.yml │ ├── invalid-client.yml │ ├── invalid-effort.yml │ ├── invalid-language.yml │ ├── invalid-lifecycle.yml │ ├── metadata-variables.yml │ ├── missing-id.yml │ └── missing-lifecycle.yml ├── go.mod ├── go.sum ├── governance ├── meetings │ ├── 2021.md │ ├── 2022.md │ ├── 2023.md │ └── 2024.md └── openssf_scorecard_incubation_stage.md ├── internal ├── checknames │ └── checknames.go ├── dotnet │ ├── csproj │ │ └── csproj.go │ └── properties │ │ ├── properties.go │ │ └── properties_test.go ├── fuzzers │ └── fuzzers.go ├── gitfile │ ├── gitfile.go │ └── gitfile_test.go ├── packageclient │ └── depsdev.go └── probes │ ├── probes.go │ ├── probes_test.go │ └── yaml │ └── yaml.go ├── log ├── log.go └── log_test.go ├── main.go ├── options ├── flags.go ├── flags_test.go ├── options.go └── options_test.go ├── pkg └── scorecard │ ├── common.go │ ├── common_test.go │ ├── json.go │ ├── json.raw.schema │ ├── json.v2.schema │ ├── json_raw_results.go │ ├── json_raw_results_test.go │ ├── json_test.go │ ├── mock_doc.go │ ├── pkg_suite_test.go │ ├── probe.go │ ├── probe_test.go │ ├── sarif.go │ ├── sarif_test.go │ ├── scorecard.go │ ├── scorecard_e2e_test.go │ ├── scorecard_result.go │ ├── scorecard_result_test.go │ ├── scorecard_test.go │ ├── statement.go │ ├── statement_test.go │ └── testdata │ ├── check-remediation.sarif │ ├── check1.json │ ├── check1.log │ ├── check1.sarif │ ├── check1_annotations.json │ ├── check1_annotations.log │ ├── check1_annotations.sarif │ ├── check2.json │ ├── check2.sarif │ ├── check3.json │ ├── check3.sarif │ ├── check4.json │ ├── check4.sarif │ ├── check5.json │ ├── check5.sarif │ ├── check6.json │ ├── check6.sarif │ ├── check7.sarif │ ├── check8.sarif │ └── probe1.json ├── policy ├── policy.go ├── policy.pb.go ├── policy.proto ├── policy_test.go └── testdata │ ├── policy-invalid-check.yaml │ ├── policy-invalid-mode.yaml │ ├── policy-invalid-score-0.yaml │ ├── policy-invalid-score-10.yaml │ ├── policy-multiple-defs.yaml │ ├── policy-no-score-disabled.yaml │ └── policy-ok.yaml ├── probes ├── README.md ├── archived │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── blocksDeleteOnBranches │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── blocksForcePushOnBranches │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── branchProtectionAppliesToAdmins │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── branchesAreProtected │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── codeApproved │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── codeReviewOneReviewers │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── contributorsFromOrgOrCompany │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── createdRecently │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── dependencyUpdateToolConfigured │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── dismissesStaleReviews │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── entries.go ├── fuzzed │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── hasBinaryArtifacts │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── hasDangerousWorkflowScriptInjection │ ├── def.yml │ ├── impl.go │ ├── impl_test.go │ └── internal │ │ └── patch │ │ ├── impl.go │ │ ├── impl_test.go │ │ └── testdata │ │ ├── arrayVariables.yaml │ │ ├── arrayVariables_fixed_1.yaml │ │ ├── arrayVariables_fixed_2.yaml │ │ ├── crazyButValidIndentation.yaml │ │ ├── crazyButValidIndentation_fixed.yaml │ │ ├── envVarNameAlreadyInUse.yaml │ │ ├── envVarNameAlreadyInUse_fixed.yaml │ │ ├── fourSpacesIndentationExistentEnvVar.yaml │ │ ├── fourSpacesIndentationExistentEnvVar_fixed.yaml │ │ ├── ignorePatternInsideComments.yaml │ │ ├── newlineOnEOF.yaml │ │ ├── newlineOnEOF_fixed.yaml │ │ ├── noLineBreaksBetweenBlocks.yaml │ │ ├── noLineBreaksBetweenBlocks_fixed.yaml │ │ ├── realExample1.yaml │ │ ├── realExample1_fixed.yaml │ │ ├── realExample2.yaml │ │ ├── realExample2_fixed.yaml │ │ ├── realExample3.yaml │ │ ├── realExample3_fixed.yaml │ │ ├── reuseEnvVarSmallerScope.yaml │ │ ├── reuseEnvVarSmallerScope_fixed.yaml │ │ ├── reuseEnvVarWithDiffName.yaml │ │ ├── reuseEnvVarWithDiffName_fixed.yaml │ │ ├── reuseWorkflowLevelEnvVars.yaml │ │ ├── reuseWorkflowLevelEnvVars_fixed_1.yaml │ │ ├── reuseWorkflowLevelEnvVars_fixed_2.yaml │ │ ├── reuseWorkflowLevelEnvVars_fixed_3.yaml │ │ ├── twoInjectionsDifferentJobs.yaml │ │ ├── twoInjectionsDifferentJobs_fixed_1.yaml │ │ ├── twoInjectionsDifferentJobs_fixed_2.yaml │ │ ├── twoInjectionsSameJob.yaml │ │ ├── twoInjectionsSameJob_fixed_1.yaml │ │ ├── twoInjectionsSameJob_fixed_2.yaml │ │ ├── twoInjectionsSameStep.yaml │ │ ├── twoInjectionsSameStep_fixed_1.yaml │ │ ├── twoInjectionsSameStep_fixed_3.yaml │ │ ├── userInputAssignedToVariable.yaml │ │ └── userInputAssignedToVariable_fixed.yaml ├── hasDangerousWorkflowUntrustedCheckout │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── hasFSFOrOSIApprovedLicense │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── hasLicenseFile │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── hasNoGitHubWorkflowPermissionUnknown │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── hasOSVVulnerabilities │ ├── def.yml │ ├── group.go │ ├── group_test.go │ ├── impl.go │ └── impl_test.go ├── hasOpenSSFBadge │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── hasPermissiveLicense │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── hasRecentCommits │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── hasReleaseSBOM │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── hasSBOM │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── hasUnverifiedBinaryArtifacts │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── internal │ ├── scripts │ │ └── setup.go │ └── utils │ │ ├── branchprotection │ │ └── branchProtection.go │ │ ├── permissions │ │ └── permissions.go │ │ ├── secpolicy │ │ └── secpolicy.go │ │ ├── test │ │ └── test.go │ │ └── uerror │ │ └── error.go ├── issueActivityByProjectMember │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── jobLevelPermissions │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── packagedWithAutomatedWorkflow │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── pinsDependencies │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── releasesAreSigned │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── releasesHaveProvenance │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── releasesHaveVerifiedProvenance │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── requiresApproversForPullRequests │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── requiresCodeOwnersReview │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── requiresLastPushApproval │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── requiresPRsToChangeCode │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── requiresUpToDateBranches │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── runsStatusChecksBeforeMerging │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── sastToolConfigured │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── sastToolRunsOnAllCommits │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── securityPolicyContainsLinks │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── securityPolicyContainsText │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── securityPolicyContainsVulnerabilityDisclosure │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── securityPolicyPresent │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── testsRunInCI │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── topLevelPermissions │ ├── def.yml │ ├── impl.go │ └── impl_test.go ├── unsafeblock │ ├── def.yml │ ├── impl.go │ ├── impl_test.go │ └── testdata │ │ ├── malformed.csproj │ │ ├── malformed.go │ │ ├── safe-explicit.csproj │ │ ├── safe-implicit.csproj │ │ ├── safe-no-imports.go │ │ ├── safe-with-imports.go │ │ ├── unsafe.csproj │ │ └── unsafe.go ├── utils │ └── codeReview.go ├── webhooksUseSecrets │ ├── def.yml │ ├── impl.go │ └── impl_test.go └── zrunner │ └── runner.go ├── remediation ├── remediations.go └── remediations_test.go ├── scripts ├── tree-status └── version-ldflags ├── stats ├── measures.go ├── tags.go └── views.go ├── tools ├── go.mod ├── go.sum └── tools.go └── utests └── utlib.go /.codecov.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.codecov.yml -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/CODEOWNERS -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/ISSUE_TEMPLATE/bug_report.md -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/ISSUE_TEMPLATE/feature_request.md -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/PULL_REQUEST_TEMPLATE.md -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/dependabot.yml -------------------------------------------------------------------------------- /.github/security-insights.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/security-insights.yml -------------------------------------------------------------------------------- /.github/workflows/codeql-analysis.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/workflows/codeql-analysis.yml -------------------------------------------------------------------------------- /.github/workflows/depsreview.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/workflows/depsreview.yml -------------------------------------------------------------------------------- /.github/workflows/docker.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/workflows/docker.yml -------------------------------------------------------------------------------- /.github/workflows/gitlab.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/workflows/gitlab.yml -------------------------------------------------------------------------------- /.github/workflows/goreleaser.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/workflows/goreleaser.yaml -------------------------------------------------------------------------------- /.github/workflows/integration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/workflows/integration.yml -------------------------------------------------------------------------------- /.github/workflows/lint.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/workflows/lint.yml -------------------------------------------------------------------------------- /.github/workflows/main.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/workflows/main.yml -------------------------------------------------------------------------------- /.github/workflows/osps-baseline.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/workflows/osps-baseline.yml -------------------------------------------------------------------------------- /.github/workflows/publishimage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/workflows/publishimage.yml -------------------------------------------------------------------------------- /.github/workflows/scdiff.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/workflows/scdiff.yml -------------------------------------------------------------------------------- /.github/workflows/scorecard-analysis.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/workflows/scorecard-analysis.yml -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/workflows/stale.yml -------------------------------------------------------------------------------- /.github/workflows/verify.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.github/workflows/verify.yml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.gitignore -------------------------------------------------------------------------------- /.golangci.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.golangci.yml -------------------------------------------------------------------------------- /.goreleaser.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.goreleaser.yml -------------------------------------------------------------------------------- /.ko.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/.ko.yaml -------------------------------------------------------------------------------- /CHARTER.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/CHARTER.md -------------------------------------------------------------------------------- /CHARTER.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/CHARTER.pdf -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/CODE_OF_CONDUCT.md -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/CONTRIBUTING.md -------------------------------------------------------------------------------- /CONTRIBUTOR_LADDER.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/CONTRIBUTOR_LADDER.md -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/Dockerfile -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/LICENSE -------------------------------------------------------------------------------- /MAINTAINERS.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/MAINTAINERS.md -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/Makefile -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/README.md -------------------------------------------------------------------------------- /RELEASE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/RELEASE.md -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/SECURITY.md -------------------------------------------------------------------------------- /artwork/openssf_security.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/artwork/openssf_security.png -------------------------------------------------------------------------------- /artwork/openssf_security.svg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/artwork/openssf_security.svg -------------------------------------------------------------------------------- /artwork/openssf_security_alt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/artwork/openssf_security_alt.png -------------------------------------------------------------------------------- /artwork/openssf_security_alt.svg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/artwork/openssf_security_alt.svg -------------------------------------------------------------------------------- /artwork/openssf_security_alt_compressed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/artwork/openssf_security_alt_compressed.png -------------------------------------------------------------------------------- /artwork/openssf_security_compressed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/artwork/openssf_security_compressed.png -------------------------------------------------------------------------------- /attestor/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/attestor/Dockerfile -------------------------------------------------------------------------------- /attestor/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/attestor/README.md -------------------------------------------------------------------------------- /attestor/cloudbuild.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/attestor/cloudbuild.yaml -------------------------------------------------------------------------------- /attestor/command/check.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/attestor/command/check.go -------------------------------------------------------------------------------- /attestor/command/cli.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/attestor/command/cli.go -------------------------------------------------------------------------------- /attestor/command/cli_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/attestor/command/cli_test.go -------------------------------------------------------------------------------- /attestor/command/sign.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/attestor/command/sign.go -------------------------------------------------------------------------------- /attestor/policy/attestation_policy.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/attestor/policy/attestation_policy.go -------------------------------------------------------------------------------- /attestor/policy/attestation_policy_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/attestor/policy/attestation_policy_test.go -------------------------------------------------------------------------------- /attestor/policy/testdata/policy-binauthz.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/attestor/policy/testdata/policy-binauthz.yaml -------------------------------------------------------------------------------- /attestor/root.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/attestor/root.go -------------------------------------------------------------------------------- /checker/check_request.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checker/check_request.go -------------------------------------------------------------------------------- /checker/check_request_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checker/check_request_test.go -------------------------------------------------------------------------------- /checker/check_result.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checker/check_result.go -------------------------------------------------------------------------------- /checker/check_result_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checker/check_result_test.go -------------------------------------------------------------------------------- /checker/check_runner.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checker/check_runner.go -------------------------------------------------------------------------------- /checker/client.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checker/client.go -------------------------------------------------------------------------------- /checker/client_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checker/client_test.go -------------------------------------------------------------------------------- /checker/detail_logger.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checker/detail_logger.go -------------------------------------------------------------------------------- /checker/detail_logger_impl.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checker/detail_logger_impl.go -------------------------------------------------------------------------------- /checker/detail_logger_impl_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checker/detail_logger_impl_test.go -------------------------------------------------------------------------------- /checker/raw_result.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checker/raw_result.go -------------------------------------------------------------------------------- /checker/raw_result_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checker/raw_result_test.go -------------------------------------------------------------------------------- /checks/all_checks.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/all_checks.go -------------------------------------------------------------------------------- /checks/all_checks_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/all_checks_test.go -------------------------------------------------------------------------------- /checks/binary_artifact.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/binary_artifact.go -------------------------------------------------------------------------------- /checks/binary_artifact_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/binary_artifact_test.go -------------------------------------------------------------------------------- /checks/branch_protection.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/branch_protection.go -------------------------------------------------------------------------------- /checks/branch_protection_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/branch_protection_test.go -------------------------------------------------------------------------------- /checks/ci_tests.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/ci_tests.go -------------------------------------------------------------------------------- /checks/ci_tests_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/ci_tests_test.go -------------------------------------------------------------------------------- /checks/cii_best_practices.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/cii_best_practices.go -------------------------------------------------------------------------------- /checks/cii_best_practices_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/cii_best_practices_test.go -------------------------------------------------------------------------------- /checks/code_review.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/code_review.go -------------------------------------------------------------------------------- /checks/code_review_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/code_review_test.go -------------------------------------------------------------------------------- /checks/contributors.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/contributors.go -------------------------------------------------------------------------------- /checks/contributors_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/contributors_test.go -------------------------------------------------------------------------------- /checks/dangerous_workflow.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/dangerous_workflow.go -------------------------------------------------------------------------------- /checks/dangerous_workflow_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/dangerous_workflow_test.go -------------------------------------------------------------------------------- /checks/dependency_update_tool.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/dependency_update_tool.go -------------------------------------------------------------------------------- /checks/dependency_update_tool_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/dependency_update_tool_test.go -------------------------------------------------------------------------------- /checks/errors.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/errors.go -------------------------------------------------------------------------------- /checks/evaluation/binary_artifacts.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/binary_artifacts.go -------------------------------------------------------------------------------- /checks/evaluation/binary_artifacts_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/binary_artifacts_test.go -------------------------------------------------------------------------------- /checks/evaluation/branch_protection.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/branch_protection.go -------------------------------------------------------------------------------- /checks/evaluation/branch_protection_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/branch_protection_test.go -------------------------------------------------------------------------------- /checks/evaluation/ci_tests.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/ci_tests.go -------------------------------------------------------------------------------- /checks/evaluation/ci_tests_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/ci_tests_test.go -------------------------------------------------------------------------------- /checks/evaluation/cii_best_practices.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/cii_best_practices.go -------------------------------------------------------------------------------- /checks/evaluation/cii_best_practices_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/cii_best_practices_test.go -------------------------------------------------------------------------------- /checks/evaluation/code_review.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/code_review.go -------------------------------------------------------------------------------- /checks/evaluation/code_review_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/code_review_test.go -------------------------------------------------------------------------------- /checks/evaluation/contributors.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/contributors.go -------------------------------------------------------------------------------- /checks/evaluation/contributors_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/contributors_test.go -------------------------------------------------------------------------------- /checks/evaluation/dangerous_workflow.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/dangerous_workflow.go -------------------------------------------------------------------------------- /checks/evaluation/dangerous_workflow_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/dangerous_workflow_test.go -------------------------------------------------------------------------------- /checks/evaluation/dependency_update_tool.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/dependency_update_tool.go -------------------------------------------------------------------------------- /checks/evaluation/dependency_update_tool_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/dependency_update_tool_test.go -------------------------------------------------------------------------------- /checks/evaluation/fuzzing.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/fuzzing.go -------------------------------------------------------------------------------- /checks/evaluation/fuzzing_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/fuzzing_test.go -------------------------------------------------------------------------------- /checks/evaluation/license.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/license.go -------------------------------------------------------------------------------- /checks/evaluation/license_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/license_test.go -------------------------------------------------------------------------------- /checks/evaluation/maintained.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/maintained.go -------------------------------------------------------------------------------- /checks/evaluation/maintained_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/maintained_test.go -------------------------------------------------------------------------------- /checks/evaluation/packaging.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/packaging.go -------------------------------------------------------------------------------- /checks/evaluation/packaging_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/packaging_test.go -------------------------------------------------------------------------------- /checks/evaluation/permissions.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/permissions.go -------------------------------------------------------------------------------- /checks/evaluation/pinned_dependencies.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/pinned_dependencies.go -------------------------------------------------------------------------------- /checks/evaluation/pinned_dependencies_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/pinned_dependencies_test.go -------------------------------------------------------------------------------- /checks/evaluation/sast.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/sast.go -------------------------------------------------------------------------------- /checks/evaluation/sast_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/sast_test.go -------------------------------------------------------------------------------- /checks/evaluation/sbom.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/sbom.go -------------------------------------------------------------------------------- /checks/evaluation/sbom_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/sbom_test.go -------------------------------------------------------------------------------- /checks/evaluation/security_policy.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/security_policy.go -------------------------------------------------------------------------------- /checks/evaluation/security_policy_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/security_policy_test.go -------------------------------------------------------------------------------- /checks/evaluation/signed_releases.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/signed_releases.go -------------------------------------------------------------------------------- /checks/evaluation/signed_releases_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/signed_releases_test.go -------------------------------------------------------------------------------- /checks/evaluation/vulnerabilities.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/vulnerabilities.go -------------------------------------------------------------------------------- /checks/evaluation/vulnerabilities_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/vulnerabilities_test.go -------------------------------------------------------------------------------- /checks/evaluation/webhooks.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/webhooks.go -------------------------------------------------------------------------------- /checks/evaluation/webhooks_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/evaluation/webhooks_test.go -------------------------------------------------------------------------------- /checks/fileparser/errors.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/fileparser/errors.go -------------------------------------------------------------------------------- /checks/fileparser/github_workflow.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/fileparser/github_workflow.go -------------------------------------------------------------------------------- /checks/fileparser/github_workflow_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/fileparser/github_workflow_test.go -------------------------------------------------------------------------------- /checks/fileparser/gitlab_workflow.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/fileparser/gitlab_workflow.go -------------------------------------------------------------------------------- /checks/fileparser/listing.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/fileparser/listing.go -------------------------------------------------------------------------------- /checks/fileparser/listing_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/fileparser/listing_test.go -------------------------------------------------------------------------------- /checks/fuzzing.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/fuzzing.go -------------------------------------------------------------------------------- /checks/fuzzing_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/fuzzing_test.go -------------------------------------------------------------------------------- /checks/license.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/license.go -------------------------------------------------------------------------------- /checks/license_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/license_test.go -------------------------------------------------------------------------------- /checks/maintained.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/maintained.go -------------------------------------------------------------------------------- /checks/maintained_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/maintained_test.go -------------------------------------------------------------------------------- /checks/packaging.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/packaging.go -------------------------------------------------------------------------------- /checks/permissions.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/permissions.go -------------------------------------------------------------------------------- /checks/permissions_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/permissions_test.go -------------------------------------------------------------------------------- /checks/pinned_dependencies.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/pinned_dependencies.go -------------------------------------------------------------------------------- /checks/pinned_dependencies_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/pinned_dependencies_test.go -------------------------------------------------------------------------------- /checks/probes.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/probes.go -------------------------------------------------------------------------------- /checks/raw/binary_artifact.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/binary_artifact.go -------------------------------------------------------------------------------- /checks/raw/binary_artifact_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/binary_artifact_test.go -------------------------------------------------------------------------------- /checks/raw/branch_protection.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/branch_protection.go -------------------------------------------------------------------------------- /checks/raw/branch_protection_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/branch_protection_test.go -------------------------------------------------------------------------------- /checks/raw/ci_tests.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/ci_tests.go -------------------------------------------------------------------------------- /checks/raw/cii_best_practices.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/cii_best_practices.go -------------------------------------------------------------------------------- /checks/raw/code_review.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/code_review.go -------------------------------------------------------------------------------- /checks/raw/code_review_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/code_review_test.go -------------------------------------------------------------------------------- /checks/raw/contributors.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/contributors.go -------------------------------------------------------------------------------- /checks/raw/contributors_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/contributors_test.go -------------------------------------------------------------------------------- /checks/raw/dangerous_workflow.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/dangerous_workflow.go -------------------------------------------------------------------------------- /checks/raw/dangerous_workflow_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/dangerous_workflow_test.go -------------------------------------------------------------------------------- /checks/raw/dependency_update_tool.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/dependency_update_tool.go -------------------------------------------------------------------------------- /checks/raw/dependency_update_tool_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/dependency_update_tool_test.go -------------------------------------------------------------------------------- /checks/raw/errors.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/errors.go -------------------------------------------------------------------------------- /checks/raw/fuzzing.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/fuzzing.go -------------------------------------------------------------------------------- /checks/raw/fuzzing_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/fuzzing_test.go -------------------------------------------------------------------------------- /checks/raw/github/packaging.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/github/packaging.go -------------------------------------------------------------------------------- /checks/raw/gitlab/packaging.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/gitlab/packaging.go -------------------------------------------------------------------------------- /checks/raw/gitlab/packaging_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/gitlab/packaging_test.go -------------------------------------------------------------------------------- /checks/raw/gitlab/testdata/docker.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/gitlab/testdata/docker.yaml -------------------------------------------------------------------------------- /checks/raw/gitlab/testdata/no-publishing.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/gitlab/testdata/no-publishing.yaml -------------------------------------------------------------------------------- /checks/raw/gitlab/testdata/nuget.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/gitlab/testdata/nuget.yaml -------------------------------------------------------------------------------- /checks/raw/gitlab/testdata/poetry.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/gitlab/testdata/poetry.yaml -------------------------------------------------------------------------------- /checks/raw/gitlab/testdata/twine.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/gitlab/testdata/twine.yaml -------------------------------------------------------------------------------- /checks/raw/license.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/license.go -------------------------------------------------------------------------------- /checks/raw/license_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/license_test.go -------------------------------------------------------------------------------- /checks/raw/maintained.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/maintained.go -------------------------------------------------------------------------------- /checks/raw/maintained_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/maintained_test.go -------------------------------------------------------------------------------- /checks/raw/permissions.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/permissions.go -------------------------------------------------------------------------------- /checks/raw/pinned_dependencies.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/pinned_dependencies.go -------------------------------------------------------------------------------- /checks/raw/pinned_dependencies_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/pinned_dependencies_test.go -------------------------------------------------------------------------------- /checks/raw/sast.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/sast.go -------------------------------------------------------------------------------- /checks/raw/sast_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/sast_test.go -------------------------------------------------------------------------------- /checks/raw/sbom.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/sbom.go -------------------------------------------------------------------------------- /checks/raw/sbom_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/sbom_test.go -------------------------------------------------------------------------------- /checks/raw/security_policy.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/security_policy.go -------------------------------------------------------------------------------- /checks/raw/security_policy_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/security_policy_test.go -------------------------------------------------------------------------------- /checks/raw/shell_download_validate.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/shell_download_validate.go -------------------------------------------------------------------------------- /checks/raw/shell_download_validate_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/shell_download_validate_test.go -------------------------------------------------------------------------------- /checks/raw/signed_releases.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/signed_releases.go -------------------------------------------------------------------------------- /checks/raw/testdata/.github/workflows/github-workflow-empty.yaml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /checks/raw/testdata/.github/workflows/pom.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/.github/workflows/pom.xml -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-args: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-args -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-aws-file: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-aws-file -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-base -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-comments: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-comments -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-curl-file-sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-curl-file-sh -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-curl-sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-curl-sh -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-download-heredoc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-download-heredoc -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-download-lines: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-download-lines -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-empty: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-empty-run-array: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-empty-run-array -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-from-scratch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-from-scratch -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-gsutil-file: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-gsutil-file -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-invalid: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-invalid -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-no-curl-sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-no-curl-sh -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-not-pinned: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-not-pinned -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-not-pinned-as: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-not-pinned-as -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-pinned: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-pinned -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-pinned-arg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-pinned-arg -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-pinned-as: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-pinned-as -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-pkg-managers: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-pkg-managers -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-proc-subs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-proc-subs -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-script-ok: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-script-ok -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-some-python: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-some-python -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-wget-bin-sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-wget-bin-sh -------------------------------------------------------------------------------- /checks/raw/testdata/Dockerfile-wget-file: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/scorecard/HEAD/checks/raw/testdata/Dockerfile-wget-file -------------------------------------------------------------------------------- /checks/raw/testdata/dotnet-empty.csproj: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /checks/raw/testdata/dotnet-invalid.csproj: -------------------------------------------------------------------------------- 1 |