1 of 1

Security Checks

Binary artifacts

This check determines whether the project has generated executable (binary) artifacts in the source repository. For more details, see the check documentation.

Code review

ID: code_review

This check determines whether the project requires code review before pull requests (merge requests) are merged. For more details, see the check documentation.

Dangerous workflow

ID: dangerous_workflow

This check determines whether the project’s GitHub Action workflows has dangerous code patterns. For more details, see the check documentation.

Dependency update tool

ID: dependency_update_tool

This check tries to determine if the project uses a dependency update tool, specifically dependabot or renovatebot. For more details, see the check documentation.

Maintained (from OpenSSF Scorecard)

ID: maintained

This check determines whether the project is actively maintained. For more details, see the check documentation.

Software bill of materials (SBOM)

ID: sbom

List of components in a piece of software, including licenses, versions, etc.

This check passes if:

The latest release on Github includes an asset which name contains sbom. Regexps used:

"(?i)sbom"

The repository’s README file contains a SBOM section that explains where they are published to, format used, etc. Regexps used to locate the title header:

"(?im)^#+.*sbom.*$"
"(?im)^#+.*software bill of materials.*$"
"(?im)^sbom$"
"(?im)^software bill of materials$"

Security policy

ID: security_policy

Documented security processes explaining how to report security issues to the project.

This check passes if:

A security policy file is found in the repository. Globs used:

"security*"
".github/security*"
"docs/security*"

CASE SENSITIVE: false

A security policy reference is found in the repository’s README file. This can be in the form of a title header or a link. Regexps used:

"(?im)^#+.*security.*$"
"(?im)^security$"
"(?i)\[.*security.*\]\(.*\)"

A security policy file is found in the default community health files repository.

Signed releases

ID: signed_releases

This check tries to determine if the project cryptographically signs release artifacts. For more details, see the check documentation.

Token permissions

ID: token_permissions

This check determines whether the project’s automated workflows tokens are set to read-only by default. For more details, see the check documentation.

Security Checks

Binary artifacts

This check determines whether the project has generated executable (binary) artifacts in the source repository. For more details, see the check documentation.

Code review

ID: code_review

This check determines whether the project requires code review before pull requests (merge requests) are merged. For more details, see the check documentation.

Dangerous workflow

ID: dangerous_workflow

This check determines whether the project’s GitHub Action workflows has dangerous code patterns. For more details, see the check documentation.

Dependency update tool

ID: dependency_update_tool

This check tries to determine if the project uses a dependency update tool, specifically dependabot or renovatebot. For more details, see the check documentation.

Maintained (from OpenSSF Scorecard)

ID: maintained

This check determines whether the project is actively maintained. For more details, see the check documentation.

Software bill of materials (SBOM)

ID: sbom

List of components in a piece of software, including licenses, versions, etc.

This check passes if:

The latest release on Github includes an asset which name contains sbom. Regexps used:

"(?i)sbom"

The repository’s README file contains a SBOM section that explains where they are published to, format used, etc. Regexps used to locate the title header:

"(?im)^#+.*sbom.*$"
"(?im)^#+.*software bill of materials.*$"
"(?im)^sbom$"
"(?im)^software bill of materials$"

Security policy

ID: security_policy

Documented security processes explaining how to report security issues to the project.

This check passes if:

A security policy file is found in the repository. Globs used:

"security*"
".github/security*"
"docs/security*"

CASE SENSITIVE: false

A security policy reference is found in the repository’s README file. This can be in the form of a title header or a link. Regexps used:

"(?im)^#+.*security.*$"
"(?im)^security$"
"(?i)\[.*security.*\]\(.*\)"

A security policy file is found in the default community health files repository.

Signed releases

ID: signed_releases

This check tries to determine if the project cryptographically signs release artifacts. For more details, see the check documentation.

Token permissions

ID: token_permissions

This check determines whether the project’s automated workflows tokens are set to read-only by default. For more details, see the check documentation.