Security Checks

This check determines whether the project has generated executable (binary) artifacts in the source repository. For more details, see the

ID: code_review

This check determines whether the project requires code review before pull requests (merge requests) are merged. For more details, see the

ID: dangerous_workflow

This check determines whether the project’s GitHub Action workflows has dangerous code patterns. For more details, see the .

ID: dependency_update_tool

This check tries to determine if the project uses a dependency update tool, specifically or . For more details, see the

ID: maintained

This check determines whether the project is actively maintained. For more details, see the

ID: sbom

List of components in a piece of software, including licenses, versions, etc.

This check passes if:

The latest release on Github includes an asset which name contains sbom. Regexps used:

"(?i)sbom"

The repository’s README file contains a SBOM section that explains where they are published to, format used, etc. Regexps used to locate the title header:

"(?im)^#+.*sbom.*$"
"(?im)^#+.*software bill of materials.*$"
"(?im)^sbom$"
"(?im)^software bill of materials$"

ID: security_policy

Documented security processes explaining how to report security issues to the project.

This check passes if:

"security*"
".github/security*"
"docs/security*"

CASE SENSITIVE: false

A security policy reference is found in the repository’s README file. This can be in the form of a title header or a link. Regexps used:

"(?im)^#+.*security.*$"
"(?im)^security$"
"(?i)\[.*security.*\]\(.*\)"

ID: signed_releases

ID: token_permissions

Last updated 10 months ago

Was this helpful?