Security Checks

Binary artifacts

This check determines whether the project has generated executable (binary) artifacts in the source repository. For more details, see the

Code review

ID: code_review

This check determines whether the project requires code review before pull requests (merge requests) are merged. For more details, see the

Dangerous workflow

ID: dangerous_workflow

This check determines whether the project’s GitHub Action workflows has dangerous code patterns. For more details, see the .

Dependency update tool

ID: dependency_update_tool

This check tries to determine if the project uses a dependency update tool, specifically or . For more details, see the

Maintained (from OpenSSF Scorecard)

ID: maintained

This check determines whether the project is actively maintained. For more details, see the

Software bill of materials (SBOM)

ID: sbom

List of components in a piece of software, including licenses, versions, etc.

This check passes if:

• The latest release on Github includes an asset which name contains sbom. Regexps used:

"(?i)sbom"

• The repository’s README file contains a SBOM section that explains where they are published to, format used, etc. Regexps used to locate the title header:

"(?im)^#+.*sbom.*$"
"(?im)^#+.*software bill of materials.*$"
"(?im)^sbom$"
"(?im)^software bill of materials$"

Security policy

ID: security_policy

Documented security processes explaining how to report security issues to the project.

This check passes if:

• A security policy file is found in the repository. Globs used:

"security*"
".github/security*"
"docs/security*"

CASE SENSITIVE: false

• A security policy reference is found in the repository’s README file. This can be in the form of a title header or a link. Regexps used:

"(?im)^#+.*security.*$"
"(?im)^security$"
"(?i)\[.*security.*\]\(.*\)"

Signed releases

ID: signed_releases

Token permissions

ID: token_permissions