KEMBAR78 | Portal Berita

KEMBAR78

{"date":"2025-10-21T15:38:53Z","repo":{"name":"github.com/sigstore/rekor","commit":"5de8b859ba7a736d0e0a17eb8fe9f339870ce8b5"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":8.8,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Token-Permissions","score":8,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yml:34","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:35","Info: jobLevel 'contents' permission set to 'read': .github/workflows/cut-release.yml:27","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/scorecard_action.yml:21","Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: no topLevel permission defined: .github/workflows/cut-release.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/depsreview.yml:19","Info: topLevel 'contents' permission set to 'read': .github/workflows/main.yml:29","Info: found token with 'none' permissions: .github/workflows/scorecard_action.yml:1","Info: found token with 'none' permissions: .github/workflows/validate-release.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/verify.yml:25"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":7,"reason":"binaries present in source code","details":["Warn: binary detected: cmd/rekor-cli/app/tests/test.rpm:1","Warn: binary detected: pkg/types/jar/v0.0.1/tests/test.jar:1","Warn: binary detected: pkg/types/rpm/tests/test.rpm:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/cut-release.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/sigstore/rekor/cut-release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/scorecard_action.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/sigstore/rekor/scorecard_action.yml/main?enable=pin","Warn: downloadThenRun not pinned by hash: scripts/performance/index-storage/index-performance.sh:43","Warn: goCommand not pinned by hash: tests/sharding-e2e-test.sh:30","Info: 34 out of 34 GitHub-owned GitHubAction dependencies pinned","Info: 11 out of 13 third-party GitHubAction dependencies pinned","Info: 9 out of 9 containerImage dependencies pinned","Info: 3 out of 4 goCommand dependencies pinned","Info: 0 out of 1 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":7,"reason":"3 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646","Warn: Project is vulnerable to: GO-2025-3922 / GHSA-jc7w-c686-c4v9"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"Signed-Releases","score":8,"reason":"5 out of the last 5 releases have a total of 5 signed artifacts.","details":["Info: signed release artifact: rekor-cli-darwin-amd64-keyless.sig: https://github.com/sigstore/rekor/releases/tag/v1.4.2","Info: signed release artifact: rekor-cli-darwin-amd64-keyless.sig: https://github.com/sigstore/rekor/releases/tag/v1.4.1","Info: signed release artifact: rekor-cli-darwin-amd64-keyless.sig: https://github.com/sigstore/rekor/releases/tag/v1.4.0","Info: signed release artifact: rekor-cli-darwin-amd64-keyless.sig: https://github.com/sigstore/rekor/releases/tag/v1.3.10","Info: signed release artifact: rekor-cli-darwin-amd64-keyless.sig: https://github.com/sigstore/rekor/releases/tag/v1.3.9","Warn: release artifact v1.4.2 does not have provenance: https://api.github.com/repos/sigstore/rekor/releases/245127921","Warn: release artifact v1.4.1 does not have provenance: https://api.github.com/repos/sigstore/rekor/releases/243511711","Warn: release artifact v1.4.0 does not have provenance: https://api.github.com/repos/sigstore/rekor/releases/236975521","Warn: release artifact v1.3.10 does not have provenance: https://api.github.com/repos/sigstore/rekor/releases/211896260","Warn: release artifact v1.3.9 does not have provenance: https://api.github.com/repos/sigstore/rekor/releases/196999004"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/sigstore/.github/SECURITY.md:1","Info: Found linked content: github.com/sigstore/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/sigstore/.github/SECURITY.md:1","Info: Found text in security policy: github.com/sigstore/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: OSSFuzz integration found","Info: GoBuiltInFuzzer integration found: pkg/pki/fuzz_test.go:84","Info: GoBuiltInFuzzer integration found: pkg/sharding/shard_fuzz_test.go:18","Info: GoBuiltInFuzzer integration found: pkg/sharding/shard_fuzz_test.go:26","Info: GoBuiltInFuzzer integration found: pkg/sharding/shard_fuzz_test.go:34","Info: GoBuiltInFuzzer integration found: pkg/sharding/shard_fuzz_test.go:42","Info: GoBuiltInFuzzer integration found: pkg/sharding/shard_fuzz_test.go:50","Info: GoBuiltInFuzzer integration found: pkg/sharding/shard_fuzz_test.go:58","Info: GoBuiltInFuzzer integration found: pkg/sharding/shard_fuzz_test.go:66","Info: GoBuiltInFuzzer integration found: pkg/sharding/shard_fuzz_test.go:74","Info: GoBuiltInFuzzer integration found: pkg/sharding/shard_fuzz_test.go:82","Info: GoBuiltInFuzzer integration found: pkg/signer/fuzz_test.go:24","Info: GoBuiltInFuzzer integration found: pkg/types/alpine/fuzz_test.go:37","Info: GoBuiltInFuzzer integration found: pkg/types/alpine/v0.0.1/fuzz_test.go:36","Info: GoBuiltInFuzzer integration found: pkg/types/alpine/v0.0.1/fuzz_test.go:73","Info: GoBuiltInFuzzer integration found: pkg/types/alpine/v0.0.1/fuzz_test.go:102","Info: GoBuiltInFuzzer integration found: pkg/types/cose/v0.0.1/fuzz_test.go:36","Info: GoBuiltInFuzzer integration found: pkg/types/cose/v0.0.1/fuzz_test.go:77","Info: GoBuiltInFuzzer integration found: pkg/types/cose/v0.0.1/fuzz_test.go:106","Info: GoBuiltInFuzzer integration found: pkg/types/dsse/v0.0.1/fuzz_test.go:36","Info: GoBuiltInFuzzer integration found: pkg/types/dsse/v0.0.1/fuzz_test.go:75","Info: GoBuiltInFuzzer integration found: pkg/types/dsse/v0.0.1/fuzz_test.go:104","Info: GoBuiltInFuzzer integration found: pkg/types/hashedrekord/fuzz_test.go:26","Info: GoBuiltInFuzzer integration found: pkg/types/hashedrekord/v0.0.1/fuzz_test.go:36","Info: GoBuiltInFuzzer integration found: pkg/types/hashedrekord/v0.0.1/fuzz_test.go:77","Info: GoBuiltInFuzzer integration found: pkg/types/hashedrekord/v0.0.1/fuzz_test.go:106","Info: GoBuiltInFuzzer integration found: pkg/types/helm/v0.0.1/fuzz_test.go:37","Info: GoBuiltInFuzzer integration found: pkg/types/helm/v0.0.1/fuzz_test.go:77","Info: GoBuiltInFuzzer integration found: pkg/types/helm/v0.0.1/fuzz_test.go:105","Info: GoBuiltInFuzzer integration found: pkg/types/helm/v0.0.1/fuzz_test.go:114","Info: GoBuiltInFuzzer integration found: pkg/types/intoto/v0.0.1/fuzz_test.go:36","Info: GoBuiltInFuzzer integration found: pkg/types/intoto/v0.0.1/fuzz_test.go:76","Info: GoBuiltInFuzzer integration found: pkg/types/intoto/v0.0.1/fuzz_test.go:105","Info: GoBuiltInFuzzer integration found: pkg/types/intoto/v0.0.2/fuzz_test.go:36","Info: GoBuiltInFuzzer integration found: pkg/types/intoto/v0.0.2/fuzz_test.go:76","Info: GoBuiltInFuzzer integration found: pkg/types/intoto/v0.0.2/fuzz_test.go:105","Info: GoBuiltInFuzzer integration found: pkg/types/jar/fuzz_test.go:24","Info: GoBuiltInFuzzer integration found: pkg/types/jar/v0.0.1/fuzz_test.go:40","Info: GoBuiltInFuzzer integration found: pkg/types/jar/v0.0.1/fuzz_test.go:81","Info: GoBuiltInFuzzer integration found: pkg/types/jar/v0.0.1/fuzz_test.go:110","Info: GoBuiltInFuzzer integration found: pkg/types/jar/v0.0.1/fuzz_test.go:155","Info: GoBuiltInFuzzer integration found: pkg/types/rekord/v0.0.1/fuzz_test.go:36","Info: GoBuiltInFuzzer integration found: pkg/types/rekord/v0.0.1/fuzz_test.go:76","Info: GoBuiltInFuzzer integration found: pkg/types/rekord/v0.0.1/fuzz_test.go:105","Info: GoBuiltInFuzzer integration found: pkg/types/rfc3161/v0.0.1/fuzz_test.go:36","Info: GoBuiltInFuzzer integration found: pkg/types/rfc3161/v0.0.1/fuzz_test.go:76","Info: GoBuiltInFuzzer integration found: pkg/types/rfc3161/v0.0.1/fuzz_test.go:105","Info: GoBuiltInFuzzer integration found: pkg/types/rpm/v0.0.1/fuzz_test.go:36","Info: GoBuiltInFuzzer integration found: pkg/types/rpm/v0.0.1/fuzz_test.go:76","Info: GoBuiltInFuzzer integration found: pkg/types/rpm/v0.0.1/fuzz_test.go:105","Info: GoBuiltInFuzzer integration found: pkg/types/tuf/v0.0.1/fuzz_test.go:36","Info: GoBuiltInFuzzer integration found: pkg/types/tuf/v0.0.1/fuzz_test.go:76","Info: GoBuiltInFuzzer integration found: pkg/types/tuf/v0.0.1/fuzz_test.go:105"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"30 out of 30 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}},{"name":"Contributors","score":10,"reason":"project has 37 contributing companies or organizations","details":["Info: found contributions from: CCI-MOC, Clean-Dependency-Project, FannieMaeOpenSource, GoogleContainerTools, Lind-Project, PyCQA, adam@adalogics.com, astropy, bomfather, chainguard-dev, chainguard-images, cs61, distroless, docc-lab, falcosecurity, fosdem-testingautomation, github-fun, google, googlers, helm, honk-ci, ir8labs, jaegertracing, keylime, ko-build, kubeflow, kubernetes, kubernetes-nightly, kubernetes-sigs, openvex, ossf, pdxcat, protobom, red hat, sigstore, wolfi-dev, 🚀 red dot rocket"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}}]}