Calculate risk based on score of the check #1321
Labels
Comments
|
This is also relevant for the GitHub workflow dependency pinning: we give 10 points if all actions are pinned by hash, and 8 if the GitHub-owned actions are not. |
|
This issue is stale because it has been open for 60 days with no activity. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
In the future the Token-Permissions check will give different scores depending on how well the best practices has been followed. But even if one gets a score of 9, they will still get a High risk issue in the SARIF file. This score then gets shown in the Code scanning alerts dashboard when the Scorecards GitHub action is used in a repository.
Describe the solution you'd like
The risk of the issue that is emitted in the SARIF file should be based on the score of the check. If the score is high, the risk should be lower.
Describe alternatives you've considered
An alternative could be for each repository owner to have a policy file to set threshold of risk.
Additional context
This is related to discussion at #1128
The text was updated successfully, but these errors were encountered: