-
Notifications
You must be signed in to change notification settings - Fork 496
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: False negative for Security Policy check on [Laravel](https://github.com/laravel/framework) project #2489
Comments
So the tarball downloaded by hitting I'm not familiar with the tarball endpoint, and the GitHub docs don't seem to explain the behavior.
|
That's an interesting finding. Other checks look for files under .github workflow (Token-Permissions, Dangerous-Workflows, Pinned-Dependencies). Does this affect the other checks too for this repository? |
@laurentsimon Yes. Scorecards gives a 10 for Token-Permissions, when they do not set it as Scorecards expects, and also a 10 for Pinned-Dependencies, when they do not hash-pin the dependencies and for some not even tag-pin. So, if the TAR comes "wrong" from GH API, these checks that look at the repo's source code will be mistaken. |
This is a configuration issue. By excluding the |
Great find @spencerschrock! Maybe #1709 could help here? |
Great find indeed! Would help if I close this issue and create a different one focusing on this main cause? |
Let's keep this open. This bug has all the context needed for someone in the future. |
Describe the bug
The Scorecards check for Security Policy did not find any Security Policy file on Laravel project, but it does have a SECURITY.md file inside
.github
folder.Reproduction steps
Steps to reproduce the behavior:
https://github.com/laravel/framework
, or access the already evaluated result hereSecurity-Policy
check it's got a null punctuation with reason "security policy file not detected"Expected behavior
Scorecards should detect the SECURITY.md file and use its content to evaluate the punctuation for Security-Policy check.
The text was updated successfully, but these errors were encountered: