Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce OpenSSF Best Practices Badge rule #238

Closed
wants to merge 1 commit into from
Closed

Introduce OpenSSF Best Practices Badge rule #238

wants to merge 1 commit into from

Conversation

ethomson
Copy link
Member

Add a rule that ensures that the project has an OpenSSF Best Practices badge at the specified level (defaulting to: "passing"). This is driven by the OpenSSF Best Practices data source, which queries bestpractices.dev.

Add the new rule type to the OpenSSF Scorecard profile.

@ethomson ethomson requested a review from a team as a code owner December 19, 2024 11:51
@ethomson
Introduce OpenSSF Best Practices Badge rule
ef21e81 
Add a rule that ensures that the project has an OpenSSF Best Practices
badge at the specified level (defaulting to: "passing"). This is driven
by the OpenSSF Best Practices data source, which queries
bestpractices.dev.

Add the new rule type to the OpenSSF Scorecard profile.
JAORMX
JAORMX reviewed Dec 19, 2024
View reviewed changes
rule-types/github/openssf_bestpractices_badge.yaml
# Defines the configuration for alerting on the rule
alert:
type: security_advisory
security_advisory: {}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Should we stop adding the security_advisory alert? we probably want to deprecate this anyway.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes but I think that it makes sense to burn it down so that the rules are consistent with each other, instead of having a few that are one way and a few that are another.

JAORMX
JAORMX reviewed Dec 19, 2024
View reviewed changes
rule-types/github/openssf_bestpractices_badge.yaml
version: v1
release_phase: alpha
type: rule-type
name: openssf_bestpractices
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This must match the file name.

rule-types/github/openssf_bestpractices_badge.yaml
guidance: |
The [OpenSSF Best Practices Badge](https://www.bestpractices.dev/en)
program allows open source projects to show that they follow best
security practices.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This guidance looks a little off. The intent is to tell people what to do if they fail this check.

@ethomson ethomson closed this Dec 19, 2024
@ethomson
Copy link
Member Author

Updated in #243

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JAORMX JAORMX JAORMX left review comments

Assignees
No one assigned
Labels
hackathon
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ethomson @JAORMX