►
From YouTube: Scorecards Biweekly Sync (October 6, 2022)
A
A
I
guess
not
so
I
don't
see
a
lot
of
items
which
are
not
done
by
Naveen.
So
while
we
wait
for
Naveen
to
folks
have
anything
that
you
want
to
discuss,
Caroline
syrup
I
see
you
guys
are
there
I
know.
Last
week
we
were
never
got
to
discuss
the
IBM
and
the
release
commit
issue.
So
maybe
should
we
take
the
time
to
discuss
that
now.
A
C
A
B
B
B
B
B
B
Our
release
notes,
aren't
human
readable
they
this,
like
here's
an
example
of
something
it
comes
up
like
this,
so
this
is
good
that
we're
adding
the
pr
title,
but
for
for
we
have
a
section
for
release
nodes
within
the
pr
that
most
of
them
every
time,
everybody's
filling
that
in
and
the
issue
right
now
is.
We
are
not
pulling
that
content
out
to
publish
in
the
release
notes.
B
One
of
the
reasons
we
brought
this
up
is
because
Stephen
brought
this
up.
He
gave
up
the
template.
I
just
want
to
bring
this
up
saying:
there's
a
tool
in
kubernetes
That's
supposed
to
help
with
this
I
am
not
aware
of
it.
That's
why
I
was
I
pinged
Stephen
to
that.
If
we
can
get
some
traction
on
that
and
that's
one
thing
that
I
had
as
an
issue.
B
B
E
B
Oh
yeah,
so
so
at
least,
if
I'm
I
went
back
and
looked
at
the
kubernetes
repo
wherein
they
wrote
a
tool
for
release
which
will
pass
the
release.
Note
template
section
and
go
generate
that
probably
look
at
a
couple
of
tools
either
this
or
the
other
one,
but
but
it
doesn't
for
me
when
I
had
to
read,
read
the
release
notes
it
does
not
come
out.
Well,
specifically,
I
saw
this
in
the
in
these
scorecards
Dev.
B
Whenever
we
see
this
like
like,
if
we
go
click
any
of
these
things
it
comes
up
with
this
becomes
makes
it
harder
to
know
what
has
changed
unless,
if
you
are
tracking
everything
within
the
project,
it's
really
hard
to
know
what
has
changed
as
a
general
overview.
That's
my
thought
process
behind
brain
opening.
This
up.
B
A
I
think
we
should
like
follow
up
with
them.
I
know
he's
been
busy
recently
but
yeah.
Maybe
you
should
follow
up
with
him
and
I
think
it's
been.
This
has
been
pending
for
a
while,
but
at
the
same
time
I'm
not
sure
if
anyone
here
as
far
as
I
know,
I
I,
don't
think
we
have
the
knowledge
of
the
tools
to
figure
out
how
these
things
can
be
automated
well,
so
yeah.
Maybe
we
should
ask
for
Steven
to
be
involved
here.
Yeah.
B
And
that's
why
I
think
Stephen
and
this
at
least
on
the
ticket,
so
that
we
can
have
some
traction
on
that
we
probably
if
I,
if
we
don't
hear
from
them,
we'll
also
I,
will
also
email
to
him
just
so
that
we
have
some
update
on
that.
Okay,
no
one
else
asked
any
comment.
David
you
want
to
go.
Take
the
next
one.
B
A
A
D
B
D
A
B
B
A
A
B
A
F
B
F
C
So
sure
yeah,
so
this
one
is
about
hacktoberfest,
so
I
just
found
out
about
hacktoberfest,
it
seems
pretty
interesting
seems
like
it's
good
exposure
to
get
people
familiar
with
the
project
and
to
tackle
some
of
the
smaller
issues,
so
I
think
for
the
project
itself.
It's
pretty
easy
to
add
yourself
as
being
involved
by
like
adding
tags
to
the
project
into
specific
issues.
You
think
it
would
be
good
and
ones
you
think
people
would
be
able
to
accomplish
within
the
month
of
October.
So
just
an
idea
I
want
to
throw
it
out
there.
B
I
I
concur.
One
of
the
things
for
hacktoberfest
is
the
contributors
supporting
with
enough
able
to
create
specific
issues
and
able
to
help
people
navigate
through
stuff
to
complete
that's
the
goal.
If
we
have
a
consensus
among
the
contributors
to
say
hey,
we
can
dedicated
time
for
doing
this.
It's
a
great
idea.
B
B
B
A
B
B
B
Right,
the
hectoberfest
is
a
is
run
by
I,
don't
know
which
specific
organization,
but
we
can
go.
We
as
a
maintainers
can
go
say,
hey.
Here's
here
is
our
repository
and
who
will
finish,
gets
their
PRS
merged
in
the
the
hacktoberfest
pulls
that
information
gives
them
some
kind
of
gaffe.
It
could
be
t-shirt,
something
like
that.
I've
once
got
a
t-shirt.
That's
the
information
on
that
I'm,
more
Applause.
Right
now.
Let
Jeff
answer
something
Jeff,
you
want
to
say
something.
E
Yeah
I
guess
I
have
the
same
question
is
Caroline?
Do
you
know
what
the
what
it'll
take
from
from
scorecard
side
to
to
participate
if
we
do
just
Mark
all
the
good
first
issues
with
the
appropriate
tag
is
that
is
that
it
and
then
just
you
know
to
see
what
see
what
people
contribute
there
or
is
there
more
effort
involved.
C
C
E
B
B
A
Yeah
I
mean
again,
like
I,
have
no
issues
but
given
similar
concerns
that
Spencer
raised
right,
I,
I
think
if
we,
if
there's
at
least
one
person
who
says
that
you
know
I,
can
like
kind
of
lead
this
I
or
own.
This
I
I
think
that
would
be
easy,
because
yeah
I
I
think
that
it
is
easier
to
do
it.
That
way,
rather
than
you
know,
everyone
kind
of
half
participating
without
knowing
who's
actually
responsible
for
this.
A
So
if
anyone's
willing
to
volunteer
and
say
that
you
know
they
are
going
to
lead
it
to
the
end-to-end
procedure
and
like
make
sure
the
peers
are
getting
worse
and
things
like
that,
if
anyone's
willing
to
own
it,
not
to
say
that
we
won't
be
helping,
but
we
need
a
point
of
contact
to
say
that
you
know
who's.
Finally,
responsible
I
think
that
that
will
probably
increase
my
conference
and
I
have
to
be
doing
it.
B
E
B
C
A
E
B
E
A
G
Oh
yes,
so
I
was
going
through
some
of
the
Miss
controls
in
our
audit
compliance
project
where
I'm,
working
and
and
thought.
If
we
could
map
our
scorecard
checks
to
map
to
what
the
controls
we
are
checking
and
mapping
to
which
is
supporting
index
controller
oauths
like
the
access
side
and
other
controls,
which
is
from
the
compliance
point
of
view,
so
that
could
give
you
more
exposure.
These
are
the
controls
we
are
from
the
top
we
are,
we
are
supporting
through
scorecard
and
future.
B
A
G
F
B
A
Right
yeah,
I,
I,
think
I
would
I
would
question
against
like
what
exists
and
like
in
trying
to
map
what
scorecard
should
be
to
what
already
exists
right.
I
mean
I
I
do
think
the
problem
domain
we
are
trying
to
solve
is
is
actually
like.
No
one's
actually
is
trying
doing
something
exactly
that,
which
is
that
you're
taking
an
open
source
repository
and
trying
to
figure
out
what
are
the
different
threat
vectors?
A
What
are
the
different
security
controls
that
you
can
Harden
and
I
think
trying
to
fit
into
some
of
the
existing
ones?
Well,
like
pigeonhole
and
pigeonholers,
into
like
only
trying
to
solve
specific
problems,
so
yeah
I
just
want
to
question
against
going
down
that
route.
I
think
we
we
really
should
be
thinking
about.
How
do
we
extend
our
framework?
To
kind
of
you
know,
bring
out
that
that
new
thing
that
doesn't
exist.
F
Hardening
guide
like
one
of
the
examples
which
is
which
I
see
is
not
in
scorecard,
is
you
know
about
rotating
GitHub
action
secret,
so
that
is
best
practice
in
the
guitar
Action
Security
guide,
it's
not
something
that
is
done
by
scorecard,
so
simply
by
comparing
it
sort
of
gives
ideas
about.
You
know.
Should
this
be
there
or
not?
It's
not
that
we
have
to
implement
all
of
it
more
about.
You
know,
thought
exercise
or
whether
it
should
be
there
versus
not.
A
Yeah
I
think
that
sounds
very
I
mean
like
I
said.
We
are
like
deriving
our
inspiration
from
various
points,
so
yeah
like
the
GitHub
security.
Sorry,
the
get
the
accents
hardening
might
be
another
place
that
we
should
probably
look
at.
If
you
don't
mind,
I
I
think
saurabh
has
added
link
to
the
oasp
and
the
SP
800
thing.
If
you
could
add
a
link
to
that
too,
that
would
be
great
yeah.
F
Yeah
so
this
you
know
this
one
is
about
thinking
about
more
options
for
the
sasd
tools,
also
right
now
scorecard
checks
for
code
qlgtm
and
sonar
and
there's
an
issue
that
LG
team
is
going
away,
and
you
know
this
thing
is
more
about
discussing
whether
there
should
be
more
tools
which
are
added
and
when
I've
put
some
sort
of
things
to
consider.
So
one
is
about
language,
specific
tools,
so
there
are
certain
tools
like
goseek
and
Bandit,
which
are
language
specific
and
the
other
one
is
just
about
pricing.
F
You
know,
so
these
these
results
also
show
up
in
private
repos.
If
someone
runs
it
in
a
private
repo.
So
having
options
which
are
you
know,
free
or
open
source
might
also
help
there
and
then
there's
this
specialized
purpose,
so
this
I've
actually
taken
from
the
CIS
Benchmark
for
supply
chain
security.
B
A
B
And
it's
Varun
if
at
least
from,
if
my
memory
sells
right,
it's
not
like
we
at
least
what
learned
in
this
large
PR
is
trying
to
do,
is
not
just
adding
additional
string
checks,
doing
it
much
more
better
to
make
sure
things
are
handy
scoring
and
all
those
things
that's
a
it's
a
large,
not
a
extremely
large,
but
a
medium-sized
PR.
Trying
to
do
this
if
I'm
not
wrong.
B
B
We
can
try
and
ask
if
Lauren
can
work
on
that.
If
someone
else
wants
to
pick
it
up
and
work
on,
I
know,
at
least
from
my
perspective,
would
you
mention
this
at
least
most
of
the
things
at
least
I
concur
on
I,
don't
know
whether
licensing
is
something
that,
but
that's
that's
another
topic,
but
at
least
adding
additional
tools
will
certainly
be
helpful.
F
B
So
is
your
thing:
hey?
Are
we
checking
like
like
code
ql?
Can
we
add
this
check
for
dependencies
review
action?
Is
that
okay,
the
one
critical
problem
or
I'm
going
to
step
back
and
talk
about?
This
is
not
a
problem
now,
if
we
add
these
additional
stuff,
then
our
coding,
our
scoring,
should
not
affect
we
need
to
figure
out.
How
do
we
add?
B
How
do
we
change
scoring
for
that,
because
by
adding
new
stuff,
if
you
bring
down
somebody's
score
down
they're
like
and
if
not,
we
need
to
pin
to
a
specific
version
and
then
we
need
to
have
Alpha
Beta.
Those
were
I
I
brought
in
dependency,
review
action
to
be
added
to
to
to
the
sasd
tools,
and
that's
when
we
discuss
about
this,
so
those
are
the
not
just
doing
these
checks
but
but
which,
in
turn
affect
the
scoring.
Those
are
the
problems
that
we
still
haven't
discussed
about.
F
D
A
D
Whole
lot
of
things
there's
a
vast
number
of
things
that
scorecards
doesn't
currently
measure
so
I
I
think
that
it
will
be
important
to
not
freeze
things
just
where
it
is
today
absolutely,
and
that
implies
that
scores
will
change,
and
that
implies
that
you
know
most
people
probably
just
want
hey.
What's
the
current
score
and
they
don't
need
to
know
the
version
number,
but
they
need
to
know
if
the
version
number
of
scorecards
that
was
used,
then
you
know
make
it
make
it
possible
to
find
that
information.
B
I'm
going
to
take
a
stab
again
say
this:
we
probably
need
a
framework
like
to
say
hey
these
additional
new
checks
are
alpha
or
beta,
or
something
like
that
and
which
will
and
almost
call
it
as
a
breaking
release.
Change
between
like
four
and
five
and
five
you're
gonna
have
these
enabled,
which
is
three
months
from
now.
Something
like
that.
D
Okay,
but
under
semver
I
wouldn't
call
this
a
breaking
change.
I
mean
your
score,
went
up,
went
down,
but
if
it
was
something
like
you
changed
the
Json
format,
so
that
the
keywords
were
no
longer
useful.
You
know
that
I
think
would
be
a
breaking
change.
Adding
a
new
measure
should
not
be
a
breaking
change.
Now
you
have
more
information
than
you
did
before
the
score.
I
mean.
If
you
want
to
claim
that
the
the
score
may
be
different.
D
You
can
argue
it's
more
accurate
now
and
more
you're
trying
to
provide
hey,
what's
a
risk
level
and
you
are
trying
to
move
towards
increased
accuracy.
The
score
is
also
going
to
change
just
from
tweaks
in
the
tool.
You
know
new
ways
to
identify
things
like
you
know
it
currently
doesn't
handle
Circle
CI.
D
B
D
Well,
yeah
I
would
make
if
there's
a
minor
or
a
patch,
but
the
the
breaking
changes.
You
know
and
really
you
want
to
avoid
breaking
changes.
For
example,
I've
complained
earlier
that
the
badge
application
is
called
CII.
It
hasn't
been
CII
for
a
while,
but
you
know
what
you
could
add
a
new
name
and
then
add
it
and
keep
the
old
name.
D
We
handle
this
slightly
differently
and
you
can
decide
whether
or
not
you
like
this
or
not,
but
whenever
we
propose
adding
new
measures,
we
add
them,
but
we
identify
them
as
what's
called
future
and
future
criteria
are,
you
know
their
criteria
are
described,
they
are
measured,
they
just
don't
count
to
the
score
and
when
you
switch
them
to
counting
to
the
score,
that's
when
the
future
marking
is
removed,
you
don't
have
to
do
it
that
way,
but
I
mean
I.
I.
E
B
And
also
like
I
mentioned,
the
other
point
about
release
notes
now,
specifically
having
release
note:
hey
the
things
are
going
to
affect
the
score
would
specifically
help
people
hey
what
change
and
helping
them
in
the
minor
or
or
any
other
may
not
be
major
or
minor
or
revision
could
specifically
help.
Somebody
understand
why
what
happened.
E
F
B
You're,
probably
right
and
we
should
look
at-
we
should
ask
at
least
look
at
this.
What
what
oh?
But
what
do
you
like,
like,
there's,
always
going
to
be
new
tools,
we're
going
to
identify
like
my
two
cents?
Again
we're
going
to
be
go,
save
Bandit,
there's
somebody
there's
another
tool,
that's
going
to
come
up!
We
as
long
as
we
have
the
framework
in
to
add
these
things.
B
B
We
have,
at
least
in
the
past,
we've
been
able
to
add
tools
which
are
open
source
which
specifically
ads
security
to
the
life
cycle
of
the
project,
at
least
up
until
now,
we
have
not
said
no
to
anything
so
I,
don't
see
a
reason
why
we
would
want
to
say
no
to
unless
either
it's
an
open
source
have
different
licensing
or
if
it's
not
maintained.
Those
are
the
only
reasons
that
at
least
I
can
think
of
I'll.
Let
others
speak
okay,.
F
F
So
maybe
you
know
if
there's
gonna
be
like
a
decision
for
each
of
these
categories.
Whether
it
applies
to
or
you
know,
is
it
sort
of
in
scope
for
scorecard
or
not,
then
that
that
should
you
know,
help
decide
on.
For
example,
scanner
for
CI
pipeline
scorecard
already
has
checks
for
GitHub
items,
I'm,
not
sure
if
that's
really
anything
else
is
really
needed
or
not
that
I
actually
know
of
anything
else.
Scanners
for
IAC.
D
D
People
make
decisions
either
I'm
using
this,
but
maybe
I,
shouldn't
or
I'm
thinking
about
using
this,
maybe
I
should
or
shouldn't
and
so
I
think
having
drilling
down
to
the
yes,
they
have
a
secret
scanner
or
not
is
appropriate
and,
more
importantly,
it
also
provides
information
to
the
projects.
I
mean
that's.
D
D
Although
the
battery
the
badge
does
require
that
this
Fire
Sticks
badge
and
the
best
practices
working
group
has
a
list
of
criteria
of
how
they
recommend
you
evaluate
open
source
software,
they
include
you
use
scorecards
to
get
some
information
and
they
do
include
licensing
under
the
assumption
that
if
you
can't
even
license
the
software
in
a
way
that
makes
it
legal
to
use,
maybe
you
know
you
know
you
don't
have
any
licenses.
You
know
maybe
you're
not
taking
care
of
the
store
for
security
either.
I.
Don't
think
that
that's
unreasonable.
B
F
So
in
this
case,
you
know,
I've
actually
listed
down
the
different
categories
of
scanners
from
The
Benchmark.
So
I'm,
not
really,
you
know
done
it
sort
of
deep
analysis
of
each
of
them,
but
I
don't
want
to
mention
that
scorecard
also
already
checks
if
there's
a
license
file
or
not
right.
This
is
this
is
about
I
think
this
is
about
checking
the
dependencies
and
what
are
the
licenses
or
the
dependencies,
and
if
one
of
those
licenses
is
restrictive,
then
the
license
that
the
you
know
something
around
that
sorts
foreign.
B
B
B
A
What's
the
right
line
to
be
drawing
here
in
terms
of
like
what
licenses
do
we
recommend
and
stuff
like
that,
I
genuinely
think
it.
It
is
somewhat
of
a
involved
discussion,
but
yeah
I
I
do
want
to
just
question
that
there
is
one
extreme
where,
like
you
know,
if
you
start
recommend
recommending
every
tool
you
might
just
end
up,
you
know
recommending
all
sorts
like
people
might
just
come
to
you
and
say:
hey
here's,
my
new
Tool.
D
A
D
I
think
I
think
that's
a
misunderstanding
of
scorecards.
What
I
would
say
is
scorecards
is
incomplete.
It's
it's
got
bugs
one
of
the
bugs
is
it
doesn't
handle
all
tools?
Okay
or
you?
Can
you
don't
have
to
call
it
a
bug
called
incomplete,
but
you
know
it
currently
doesn't
detect
some
tools
in
some
situations.
Excellent,
please
help
us
fix
that.
D
You
know
it
doesn't
handle
get
lab.
That's
up!
You
know
you
that's
true.
Let's
you
know
if
somebody
wants
to
help,
add
support
for
get
lab
and
some
of
these
other
things.
That's
wonderful,
but
I
I
would
not
want
anybody
to
walk
away
and
saying
you
know:
scorecards
only
endorses
specific
tools
and
requires
you
know:
I
mean
if
a
tool
doesn't
do
a
job,
that's
fine,
but
other
than
that.
I
think
they
should
be
in
scope,
but
somebody's
got
to
show
up
be
willing
to
put
in
the
the
effort
to
add
the
detector.
A
So
I
I
think
here's
here's
the
question
right.
So
let's
say
the
SAS
check
is
a
pretty
good
example,
if
someone's
not
using
SAS
I.
Think
if
you
are
a
developer
and
said,
hey
I
want
to
pass
this
check.
The
first
thing
you
would
do
is
what
all
can
I
do,
or
what
steps
can
I
actually
take
to
pass
us
which
kind
of
implies
the
tools
that
scorecard
is
detecting?
Is
this
tools
that
scorecard
in.
D
A
D
I,
don't
think
that
I
think
that's
an
unwise
thing
to
claim,
in
fact,
after
a
certain
point
the
what
is
it
it's,
the
group
that
involves
you
know
in
you
know
was
it
basically,
there
there'll
probably
be
some
legal
claims
if
we
claim
Thou
shalt
use
x.
Why?
Because
that's
what
we
happen
to
implement
today,
I
I,
I
I,
don't
think
that
that's
the
right
message,
I,
really
don't
I,
think
it's
much
better
to
say
we're
looking
for
tools,
we
missed
that
one.
Let's
add
it
if
it's
relevant.
B
D
D
D
D
D
So
that
doesn't
mean
that
you
that
I
I
don't
think
anyone
should
expect
that
you
detect
54
different
types
of
tools,
never
mind
the
hundreds
of
tools
that
actually
exist
right
now.
On
the
other
hand,
if
scorecards
does
this
detection,
it
means
you're
doing
something
valuable
you're
doing
something
different
than
everybody
else.
That's
a
good
thing.
B
G
G
B
B
That
yeah,
it's
something
and
it
was
in
it
wasn't
passing
again
on
my
memory
is
not
fresh
enough.
It
wasn't
passing
the
all
the
checks
and
and
I
think
once
for
that,
I'm
not
wrong,
sorry
and
and
and
because
it
wasn't,
the
bot
automatically
closes
that
if
there's
no
response,
if
there's
no
movement
on
the
pr,
you
should
be
able
to
reopen
the
pr
sorry.
G
B
G
And
another
question:
I
just
just
suggest
a
thought,
I
added
in
in
our
list,
so
for
the
bad
school
that
currently
can
be.
We
have
any
scope
of
opening
a
GitHub
issue
so
that
the
who
is
having
this
repo
and
some
developer
always
there
can
take
a
look.
What
have
the
less
score
bad
score
to
work
on
to
make
the
fix?
You
know
what
they
are
using.
B
B
I
think
that
this,
that
is,
that
is
at
least
right
now,
that
is
not
in
scope,
okay,
to
go,
create
issues
and
people
don't
want
to
be
spammed.
My
two
cents
sort
of
nobody
wants
to
be
spammed,
random
bot,
spamming
them,
saying
hey!
Yours
is
not
right,
and
and
that's
why
that
has
to
need
to
have
a
deeper
discussion.