|
1 | 1 | # Frequently Asked Questions |
2 | 2 |
|
3 | | -This page answers frequently asked questions about Scorecards, including its purpose, usage, and checks. This page is continually updated. If you would like to add a question, please [contribute]!(../CONTRIBUTING.md)! |
| 3 | +This page answers frequently asked questions about Scorecards, including its purpose, usage, and checks. This page is continually updated. If you would like to add a question, please [contribute](../CONTRIBUTING.md)! |
4 | 4 |
|
5 | 5 | ## Installation / Usage |
6 | 6 | - [Can I preview my project's score?](#can-i-preview-my-projects-score) |
7 | | - - [What is the difference between Scorecard and other Code Scanning Tools?](#what-is-the-difference-between-scorecard-and-other-code-scanning-tools) |
| 7 | + - [What is the difference between Scorecards and other Code Scanning tools?](#what-is-the-difference-between-scorecards-and-other-code-scanning-tools) |
8 | 8 |
|
9 | 9 | ## Check-Specific Questions |
10 | | - - [Binary-Artifacts: Is it possible to set up a blocklist to check Binary-Artifacts?](#binary-artifacts-is-it-possible-to-set-up-a-blocklist-to-check-binary-artifacts) |
11 | | - - [Code-Review: Can I set Code-Review check to ignore bot commits?](#code-review-can-i-set-code-review-check-to-ignore-bot-commits) |
12 | | - - [Fuzzing: Scorecard accepts custom fuzzers and libfuzzer?](#fuzzing-scorecard-accepts-custom-fuzzers-and-libfuzzer) |
13 | | - - [Pinned-Dependencies: Will the scorecard see not-pinned dependencies in tests with Dockerfiles?](#pinned-dependencies-will-the-scorecard-see-not-pinned-dependencies-in-tests-with-dockerfiles) |
| 10 | + - [Binary-Artifacts: Can I allowlist testing artifacts?](#binary-artifacts-can-i-allowlist-testing-artifacts) |
| 11 | + - [Code-Review: Can it ignore bot commits?](#code-review-can-it-ignore-bot-commits) |
| 12 | + - [Fuzzing: Does Scorecards accept custom fuzzers?](#fuzzing-does-scorecards-accept-custom-fuzzers) |
| 13 | + - [Pinned-Dependencies: Will Scorecards detect unpinned dependencies in tests with Dockerfiles?](#pinned-dependencies-will-scorecards-detect-unpinned-dependencies-in-tests-with-dockerfiles) |
14 | 14 | - [Pinned-Dependencies: Can I use version pinning instead of hash pinning?](#pinned-dependencies-can-i-use-version-pinning-instead-of-hash-pinning) |
15 | | - - [Signed-Releases: Why would I sign releases?](#signed-releases-why-would-i-sign-releases) |
| 15 | + - [Signed-Releases: Why sign releases?](#signed-releases-why-sign-releases) |
16 | 16 |
|
17 | | -________________________________________________________________________________ |
18 | | -________________________________________________________________________________ |
| 17 | +--- |
19 | 18 |
|
20 | 19 | ## Installation / Usage |
21 | 20 |
|
22 | 21 | ### Can I preview my project's score? |
23 | 22 |
|
24 | | -Yes, a preview of the Scorecard scores can be seen at https://api.securityscorecards.dev/projects/github.com/<username_or_org>/<repository_name>/ for the repositories tracked by the Scorecard Project for being considered relevant in the Open Source scenario. |
| 23 | +Yes. |
| 24 | + |
| 25 | +Over a million projects are automatically tracked by the Scorecards project. These projects' scores can be seen at https://api.securityscorecards.dev/projects/github.com/<username_or_org>/<repository_name>. |
25 | 26 |
|
26 | 27 | You can also use the CLI to generate scores for any public repository by following these steps: |
27 | 28 |
|
28 | | -1. [Installation](https://github.com/joycebrum/scorecard#installation) |
29 | | -1. [Authentication](https://github.com/joycebrum/scorecard#authentication) |
30 | | -1. [Basic Usage](https://github.com/joycebrum/scorecard#basic-usage) |
| 29 | +1. [Installation](https://github.com/ossf/scorecard#installation) |
| 30 | +2. [Authentication](https://github.com/ossf/scorecard#authentication) |
| 31 | +3. [Basic Usage](https://github.com/ossf/scorecard#basic-usage) |
31 | 32 |
|
32 | | -### What is the difference between Scorecard and other Code Scanning Tools? |
| 33 | +### What is the difference between Scorecards and other Code Scanning tools? |
33 | 34 |
|
34 | | -Usually, the code scanning tools are focused on one or two specific types of vulnerabilities, while the Scorecard's Checks are focused on the overall security posture of the project. That's because the Scorecard is related to the Security Best Practices and whether the project is following them or not. |
| 35 | +Most code scanning tools are focused on detecting specific vulnerabilities already existing in your codebase. Scorecards, however, is focused on improving the project's overall security posture by helping it adopt best practices. The best solution for your project may well be to adopt Scorecards along with other tools! |
35 | 36 |
|
36 | | -## Check-Specific Questions |
| 37 | +## Check-specific Questions |
37 | 38 |
|
38 | | -### Binary-Artifacts: Is it possible to set up a blocklist to check Binary-Artifacts? |
| 39 | +### Binary-Artifacts: Can I allowlist testing artifacts? |
39 | 40 |
|
40 | | -It is still not possible to do that. However, the Scorecard team is working on this feature in the issue [ossf/scorecard#1270](https://github.com/ossf/scorecard/issues/1270). |
| 41 | +Scorecards lowers projects' scores whenever it detects binary artifacts. However, many projects use binary artifacts strictly for testing purposes. |
41 | 42 |
|
| 43 | +While it isn't currently possible to allowlist such binaries, the Scorecards team is working on this feature ([#1270](https://github.com/ossf/scorecard/issues/1270)). |
42 | 44 |
|
43 | | -### Code-Review: Can I set Code-Review check to ignore bot commits? |
| 45 | +### Code-Review: Can it ignore bot commits? |
44 | 46 |
|
45 | | -This is quite a complex question to be answered. Right now, there is no way to do that and here are some pros and cons on allowing the users to set up a ignore list with bots. |
| 47 | +This is quite a complex question. Right now, there is no way to do that. Here are some pros and cons on allowing users to set up an ignore-list for bots. |
46 | 48 |
|
47 | | -- Pros: Some bots have a very frequent and automated job and, for some projects, reviewing every change is not feasible or reasonable. |
48 | | -- Cons: Any bot can be compromised (its credentials can be compromised, for example), or considering that the commits are not being signed, an attacker could easily send a commit spoofing the bot. This means that the bot having a not supervised access to the main branch could potentially be a security risk. |
| 49 | +- Pros: Some bots run very frequently; for some projects, reviewing every change is therefore not feasible or reasonable. |
| 50 | +- Cons: Bots can be compromised (their credentials can be compromised, for example). Or if commits are not signed, an attacker could easily send a commit spoofing the bot. This means that a bot having unsupervised write access to the repository could be a security risk. |
49 | 51 |
|
50 | | -Anyhow, this is being discussed by the Scorecard Team, for more informations about this topic please see the issue [Code Review Check handle commits made by version bump bots](https://github.com/ossf/scorecard/issues/2302). |
| 52 | +However, this is being discussed by the Scorecards Team ([#2302](https://github.com/ossf/scorecard/issues/2302)). |
51 | 53 |
|
52 | | -### Fuzzing: Scorecard accepts custom fuzzers and libfuzzer? |
| 54 | +### Fuzzing: Does Scorecards accept custom fuzzers? |
53 | 55 |
|
54 | | -The Fuzzing Check detects OSS Fuzz, ClusterFuzzLite, OneFuzz and Go custom checks, thus it only catches custom fuzzing for GoLang. So, the check doesn’t detect custom use of libfuzzer, but some of these fuzzing tools might be using libfuzzers under the hood. |
| 56 | +Currently only for projects written in Go. |
55 | 57 |
|
56 | | -To see more about how the Fuzzing Check determines whether the project uses fuzzing or not, see [Fuzzing Check](https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing). |
| 58 | +For more information, see the [Fuzzing check description](https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing). |
57 | 59 |
|
58 | | -### Pinned-Dependencies: Will the scorecard see not-pinned dependencies in tests with Dockerfiles? |
| 60 | +### Pinned-Dependencies: Will Scorecards detect unpinned dependencies in tests with Dockerfiles? |
59 | 61 |
|
60 | | -Scorecard can show the dependencies that are referred to in tests like Dockerfiles, so it could be a great way for you to fix those dependencies and avoid the vulnerabilities related to version pinning dependencies. To see more about the benefits of hash pinning instead of version pinning, please see the [Pinned-Dependencies Check Description](/checks.md#pinned-dependencies) |
| 62 | +Scorecards can show the dependencies that are referred to in tests like Dockerfiles, so it could be a great way for you to fix those dependencies and avoid the vulnerabilities related to version pinning dependencies. To see more about the benefits of hash pinning instead of version pinning, please see the [Pinned-Dependencies check description](/checks.md#pinned-dependencies) |
61 | 63 |
|
62 | 64 | ### Pinned-Dependencies: Can I use version pinning instead of hash pinning? |
63 | | -It is not encouraged. The OpenSSF recommends the use of hash pinning instead of version pinning declarations in order to reduce several security risks. Please take a look at the [Pinned-Dependencies Check Description](/checks.md#pinned-dependencies) to a better understanding of the benefits of the Hash Pinning. |
| 65 | +Version pinning is a significant improvement over not pinning your dependencies. However, it still leaves your project vulnerable to tag-renaming attacks (where a dependency's tags are deleted and recreated to point to a malicious commit). |
| 66 | + |
| 67 | +The OpenSSF therefore recommends hash pinning instead of version pinning, along with the use of dependency update tools such as dependabot to keep your dependencies up-to-date. |
64 | 68 |
|
| 69 | +Please see the [Pinned-Dependencies check description](/checks.md#pinned-dependencies) for a better understanding of the benefits of the Hash Pinning. |
65 | 70 |
|
66 | | -### Signed-Releases: Why would I sign releases? |
| 71 | +### Signed-Releases: Why sign releases? |
67 | 72 |
|
68 | | -The main benefit that the [signed releases](/checks.md#signed-releases) could bring for now is the guarantee that a specific artifact was released by a source that you approve or you say is reliable. |
| 73 | +Currently, the main benefit of [signed releases](/checks.md#signed-releases) is the guarantee that a specific artifact was released by a source that you approve or attest is reliable. |
69 | 74 |
|
70 | | -Although, there are already moves to make it even more influential on the download process. The OpenSSF is working on [Implementing the signature verification with NPM packages](https://github.blog/2022-08-08-new-request-for-comments-on-improving-npm-security-with-sigstore-is-now-open/) which would allow a consumer to automatically verify if the package they are downloading was generated through a reliable builder and if it is correctly signed. |
| 75 | +However, there are already moves to make it even more relevant. For example, the OpenSSF is working on [implementing signature verification for NPM packages](https://github.blog/2022-08-08-new-request-for-comments-on-improving-npm-security-with-sigstore-is-now-open/) which would allow a consumer to automatically verify if the package they are downloading was generated through a reliable builder and if it is correctly signed. |
71 | 76 |
|
72 | | -The Releases Signature already has some benefits and it is moving to a future with even more security benefits both for consumers and maintainers. |
| 77 | +Signing releases already has some relevance and it will soon offer even more security benefits for both consumers and maintainers. |
0 commit comments