-
Notifications
You must be signed in to change notification settings - Fork 509
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: incorporate CLOMonitor-style exemptions #2614
Comments
Hey, we've been thinking of creating a config file as well. Thanks for the link, I was not aware of CLOMonitor. Is it a CNCF project? |
Seems that CLOmonitor pulls in the tests from Scorecards, so maybe that's where the exemptions should live too. Would be great if the schema for documenting those exemptions could be reused though to save reinventing the wheel |
Stale issue message - this issue will be closed in 7 days |
Can I reopen this to get comment from the team? |
Hmm, thought we had disabled the auto close in #3493 |
@gabibguti something to consider with the maintainer annotation work |
This issue is stale because it has been open for 60 days with no activity. |
Hi, have there been any updates on this issue? I am working on adding the OpenSSF Scorecard badge to Cilium README, and fixing this would help address the issues mentioned here. |
It's on our roadmap for this quarter. We haven't entirely decided how this will display in terms of the badge. |
This issue has been marked stale because it has been open for 60 days with no activity. |
FYI @caniszczyk |
For those tracking this issue, we're getting conversations on the books with the CLOMonitor maintainers to decide on the best integration path for folks leveraging either or both tools. Stay tuned! |
This issue has been marked stale because it has been open for 60 days with no activity. |
As a CNCF project we've been encouraged to add both CLOMonitor and OpenSSF Scorecard badges, and there's quite a lot of overlap between the security-related checks that CLOMonitor runs, and the Scorecard checks. We reviewed the results from CLOMonitor and found some false positives, for which we've been able to document exemptions so that they don't appear as failed tests. (We really don't want to display a badge that portrays the project as a lot less secure than it really is!)
It would be great if those same exemptions could be pulled in by Scorecard as well. Ideally there would be just one exemptions file per repo acting as the source of truth (i.e. scorecard could re-use the checks that it finds in a .clomonitor file).
The text was updated successfully, but these errors were encountered: