You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I found the issues fixed by those PRs by scanning procfs with Scorecard. It looks at a repository's settings and configurations to identify potential points of improvement in a project's security posture.
As it happens, the first issues I worked on involved workflows, which procfs pulls from /common and/or /prometheus, so I sent the PRs over there.
Scorecard is also available as a GitHub Action. It then monitors a project's security posture and populates the Security Panel with any tips it may find relevant for the project. In doing so, it can also flag whenever a code or setting change accidentally weakens the project's security.
procfs' current score is 6.8/10, which places it at the top 10% of projects important to the open-source ecosystem.
I'll write a PR implementing the Action and send it along with this issue.
The text was updated successfully, but these errors were encountered:
Sorry for the delay here, but sure thing, I'd be happy to send this to prometheus/prometheus and add it to the sync script.
I do have one question though. After one of my previous PRs, I realized there's automation keeping things in sync with prometheus/prometheus but there's also prometheus/common, which I'd understood was the container for all "common" things in prometheus projects.
Has /common been deprecated, with /prometheus now being the source-of-truth for common files?
Hey, it's Pedro (see prometheus/common#490 and prometheus/prometheus#12841). I'm back with another security suggestion.
I found the issues fixed by those PRs by scanning procfs with Scorecard. It looks at a repository's settings and configurations to identify potential points of improvement in a project's security posture.
As it happens, the first issues I worked on involved workflows, which procfs pulls from
/common
and/or/prometheus
, so I sent the PRs over there.Scorecard is also available as a GitHub Action. It then monitors a project's security posture and populates the Security Panel with any tips it may find relevant for the project. In doing so, it can also flag whenever a code or setting change accidentally weakens the project's security.
procfs' current score is 6.8/10, which places it at the top 10% of projects important to the open-source ecosystem.
I'll write a PR implementing the Action and send it along with this issue.
The text was updated successfully, but these errors were encountered: