Security Checks

Binary artifacts

This check determines whether the project has generated executable (binary) artifacts in the source repository. For more details, see the check documentation.

Code review

ID: code_review

This check determines whether the project requires code review before pull requests (merge requests) are merged. For more details, see the check documentation.

Dangerous workflow

ID: dangerous_workflow

This check determines whether the project’s GitHub Action workflows has dangerous code patterns. For more details, see the check documentation.

Dependency update tool

ID: dependency_update_tool

This check tries to determine if the project uses a dependency update tool, specifically dependabot or renovatebot. For more details, see the check documentation.

Maintained (from OpenSSF Scorecard)

ID: maintained

This check determines whether the project is actively maintained. For more details, see the check documentation.

Software bill of materials (SBOM)

ID: sbom

List of components in a piece of software, including licenses, versions, etc.

This check passes if:

  • The latest release on Github includes an asset which name contains sbom. Regexps used:

"(?i)sbom"
  • The repository’s README file contains a SBOM section that explains where they are published to, format used, etc. Regexps used to locate the title header:

"(?im)^#+.*sbom.*$"
"(?im)^#+.*software bill of materials.*$"
"(?im)^sbom$"
"(?im)^software bill of materials$"

Security policy

ID: security_policy

Documented security processes explaining how to report security issues to the project.

This check passes if:

  • A security policy file is found in the repository. Globs used:

"security*"
".github/security*"
"docs/security*"

CASE SENSITIVE: false
  • A security policy reference is found in the repository’s README file. This can be in the form of a title header or a link. Regexps used:

"(?im)^#+.*security.*$"
"(?im)^security$"
"(?i)\[.*security.*\]\(.*\)"

Signed releases

ID: signed_releases

This check tries to determine if the project cryptographically signs release artifacts. For more details, see the check documentation.

Token permissions

ID: token_permissions

This check determines whether the project’s automated workflows tokens are set to read-only by default. For more details, see the check documentation.

Last updated

Copyright © 2022 The Linux Foundation®. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks.