You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Security policy at the organization level is not picked up. I have one on the org level here, but in my repository I have an alert that there is no security policy.
From the changes described in this PR I would expect that the org level setup would also be taken into account.
Expected behavior
The check should also validate the org level configuration.
"ruleId": "SecurityPolicyID",
"ruleIndex": 8,
"message": {
"text": "score is 9: security policy file detected:\nWarn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy: github.com/devops-actions/.github/.github/SECURITY.md\nClick Remediation section below to solve this issue"
},
It's picking up the file, and scoring it a 9/10. The message in your SARIF output is talking about the missing 1/10 due to a heuristic introduced in #2195 which is looking for:
// pattern for 1 to 4 digit numbers
// or
// strings 'disclos' as in "disclosure" or 'vuln' as in "vulnerability"
reDIG := regexp.MustCompile(`(?i)(\b*[0-9]{1,4}\b|(Disclos|Vuln))`)
The easiest fix would be to tweak your security policy to satisfy the heuristic. For example:
Please disclose any issues or vulnerabilities responsibly by emailing
The other option is to discuss relax/remove the heuristic, which was brought up in #2195, but was left in at the time.
Ah, that is indeed extra information that I missed when looking at the alert, because of the text rendering in the alerts it's rather hidden at the bottom. That will be improved by #125 so that will definitely help. The rest was me not reading the whole text :-).
Describe the bug
Security policy at the organization level is not picked up. I have one on the org level here, but in my repository I have an alert that there is no security policy.
From the changes described in this PR I would expect that the org level setup would also be taken into account.
Expected behavior
The check should also validate the org level configuration.
Additional context
Using the ossf/scorecard-action for running the checks.
The text was updated successfully, but these errors were encountered: