►
From YouTube: Scorecards Biweekly Sync (December 1, 2022)
A
B
B
C
C
C
D
A
My
name
is
leor
Kaplan
I'm
first
time
here
and
I'm
also
going
to
present
I
think
I'm.
One
also
the
first
in
on
the
agenda
and
the
open
source
program
manager
for
check
marks,
check
marks
is
an
application
security
company
and
we
run
an
open
source
project
named
kicks
as
in
keep
infrastructure
as
code
secure
and
that's
also
the
first
topic
on
the
agenda.
C
E
Yeah
I
wasn't
sure
if
that
was
the
right
place,
but
I'd
want
to
get
it
out,
because
it's
a
little
bit
of
good
news.
Actually
and
first,
let
me
preface
with
we're
having
a
bunch
of
conversations
at
the
governing
board
and
tech
level
about
Focus
for
2023
and
really
increasing
our
focus
and
our
balance
of
attention
and
and
and
budget
were
possible
and
and
making
some
staffing
decisions
around
really
trying
to
bring
together
all
the
software
tools
that
are
underneath
the
open
ssf
into
something
like
a
cohesive
Suite
of
tools.
E
I
would
call
it
a
tool
chain
or
something
like
that,
but
build
on.
You
know:
scorecards,
build
on
open
on
the
Sig
store
and
other
things
and
create
something
that,
like
it's
great
stuff,
that
people
embed
into
all
of
their
other
tool
chains
and
systems,
and
that
kind
of
thing
just
by
default
right
and
so
as
a
part
of
that
we've
received
well
actually
not
entirely
directly
related.
E
But
as
part
of
just
a
bunch
of
the
conversations
we've
had
one
member
of
the
open
as
assistant
one
corporate
member
of
open,
ssf
Amazon
web
services
want
to
give
them
full
credit
has
made
a
targeted
donation.
It's
not
a
directed
fund.
It's
not
a
separate
corporate
structure.
It's
simply
a
donation
to
open
ssf
with
a
bit
of
a
nod
towards
the
work
that
this
community
has
been
doing.
That
scorecards
has
been
doing
to.
E
Frankly,
I
think
it
would
also
apply
to
aggregating
scorecard
in
with
other
measures.
Other
objective
data
to
help
the
broader
stream
2
risk
dashboard
kind
of
question
as
well,
so
it's
not
terribly
defined
or
scoped,
but
it
is
something
that
I
was
was
with
a
knot
towards
the
work
this
community
is
doing
so,
give
us
a
little
bit
of
time
to
figure
out
what
the
appropriate
process
is.
I
do
believe.
E
The
tech
open
subtech
will
want
to
weigh
in
on
how
those
how
that
budget
is
is
distributed,
especially
for
the
larger
ticket
items,
but
I
think
we
can
start
in
this
community
in
this,
in
this
working
group
of
thinking
about
ways
to
effectively
put
funds
to
work,
to
move
the
project
faster
than
it.
Otherwise
might
so.
Merry
Christmas.
C
F
E
Quote
it
yet
I'm!
Sorry,
that's
a
good
good
question.
I
should
have
been
clear.
Give
us
a
chance
to
work
with
Amazon
to
figure
out
what
the
announcement
strategy
for
this
should
be
yeah.
They
were
comfortable
enough
with
it
and
we
have
the
PO.
So
it's
it's
it's
it's
it's
like
fixed,
but
give
us
a
chance
to
figure
out
how
we
want
to
PR
it.
We
will
do
some
sort
of
PR
in
the
next
few
weeks.
E
E
C
A
B
A
Just
okay,
so
hi
everyone
I'm
glad
to
see
you
in
this
meeting
is
it.
This
is
my
first
time
feel
free
to
interrupt.
If
you
have
questions
or
missing
one
of
the
procedures
for
for
the
meeting,
I
wanted
to
talk
about
infra,
it's
called
security
as
part
of
scorecard,
and
that's
because
I'm
leading
a
project
in
that
area.
A
A
B
A
The
motivation
for
talking
about
infrastockets
code
files
is
that
many
projects
use
it
and
and
use
it
to
facilitate
faster
installation
and,
of
course,
consumption
of
their
project.
We'll
talk
about
these
two
things
in
separately.
We
want
to
verify
that
project
check
the
security
of
these
files,
making
sure
the
artifacts
and
the
community
who
use
them
will
be
safer
and,
of
course,
this
Plato
verses
have
also
supply
chain
security
implications,
which
is
something,
of
course,
is
in
interest
for
open
ssf
in
general.
A
In
scorecard,
specifically,
we
already
saw
a
few
requests
of
that
by
the
community.
I
found
two
issues
on
GitHub
that
mentioned
infrastructure
is
called
scans,
would
it
be
regarding
others,
sus
tools
and,
of
course,
supporting
different
type
of
files.
So
we
see
there's
demand
and
of
course,
that's
coincides
with
my
concept
of
scan.
A
I
wanted
to
talk
a
little
bit
about
the
scope
of
the
of
the
scan
the
project
you
might
use
infrastructure
as
code
for
two
main
categories.
The
first
would
be
the
project
infrastructure,
CI
server,
the
test,
the
containers
for
test
demos
website,
whatever
the
project
needs
and
the
second
category
would
be
the
artifact
the
project
produces
or
the
the
files
that
help
the
project
produce
the
artifacts.
A
It
could
be
container
for
users,
consumption,
the
helm
chart
for
installation,
a
container
being
used
for
the
builds
and
by
that
might
really
influence
the
binaries
or
whatever
artifacts
the
project
has-
and
we
aim
for
the
second
category.
So
we
want
to
make
sure
that
whatever
the
users
consume
or
whatever
effects,
what
the
user
consume
is
being
secure,
we're
not
going
to
test
internal
infrastructure
which
don't
affect
what
the
user
has.
A
A
Okay,
what
we
wanted
to
do
is
first
detect
if
a
repository
have
infrastructures
called
files
and
then
check.
If
there
is
a
security
check
in
place,
we
want
to
warn
users
in
case
those
files
do
exist,
but
there
isn't
a
security
check
in
place,
which
is
something
similar
to
what
we
do
with
dependencies
and
composition.
A
Analysis
tools
still
not
not
talking
about
the
result
of
that
security
check
phase
two
would
be
to
actually
score
the
based
on
the
result
of
the
infrastructure,
as
code
Security
check,
for
example,
scoring
each
critical
result
is
two
point
reduction
from
10
to
0
and
the
high
results.
High
severity
results
as
one
point
reduction,
ignoring
completely
from
medium
low
and
informational
results
in
such
a
security
check,
the
third
phase,
which
will
probably
be
somewhere
in
later
this
year.
A
It's
been
used
for
another
two
example:
repositories
red
panda,
which
uses
them
for
a
few
of
their
projects.
I
just
gave
the
main
one
and
Captain,
which
is
also
a
cloud
native
project
and
uses
the
kicks
GitHub
action
to
scan
the
project.
Just
to
give
some
references,
I'll
share
the
the
slides
as
part
of
the
the
agenda
of
the
of
the
meeting,
and
just
to
give
you
some
reference
of
things.
A
We
check
for,
for
example,
developer
best
practices,
best
practices
in
this
case
of
Docker
creation,
Docker
image
creation
same
with
Helm
charts
and,
of
course
the
last
link
is
a
list
of
all.
Our
queries
for
kicks.
Kicks
is
based
on
the
Oppa,
which
is
by
itself
a
cloud
native
project.
We
have
24
more
than
2400
queries,
which
is
the
most
extensive
in
in
the
category
of
industrial
infrastructure,
is
called
scanning
tools
and,
of
course,
it's
all
it's
all
open
source
and
you
can
use
it.
A
G
A
A
So
what
we
hope
for
is
to
scorecards
in
the
future
phases
to
actually
run
kicks
if
possible.
If
not.
First
check
the
use
kicks
to
to
check
the
existence
of
such
files.
We
can
of
course
make
sure
the
the
relevant
check
is,
is
Made
Easy
through
kicks,
or
if
the
code
needed
to
be
contributed
directly
to
scorecards,
that's
also
an
option
in
later
phrases.
We
would
hope
that
the
the
pro
the
scorecards
would
run
kicks
if
the
project
doesn't
does
so
by
itself.
A
If
the
project
does
so,
we
can
just
read
the
results.
The
project
would
save
I.
Think
the
goal
or
a
sub
goal
of
of
this
idea
is
to
encourage
projects
both
to
to
run
the
Security
check
themselves
and
also
save
the
results.
So
it
would
be
accessible
to
anyone
who
uses
the
project
raising
awareness
even
reading
the
the
GitHub
for
the
project
having
a
GitHub
action
that
actually
runs
the
security
check,
save
the
files
and
exposes
the
data
to
to
the
project
users.
A
G
F
Hey
great
thanks
one
of
the
questions
that,
if
you
can
you
go
back
to
go
back
in
your
slide
to
phase
one
of
specifically
on
that,
yes
to
the
creepo
with
IAC
files,
and
you
specifically
mention
a
couple
of
things
in
this-
you
said:
hey,
there
are
IEC
files.
Developing
the
project
could
use
an
issue.
Project
could
produce
correct.
It's
just
trying
to
make
the
make
sure
the
industry.
F
How
are
you
able
to
identify
the
account
charts,
like
example,
I'm,
just
picking
examples
scorecard
being
consumer
of
the
home
chart
versus
scorecard
called
producing
hulksharp?
How
are
you
going
to
identify
two
differences
because
that's
going
to
be
because
that's
that's
the
goal
or
one
of
the
goals
to
make
sure
what
what
that
project
reduces.
What
how
are
you
able
to?
How
are
you
able
to
identify
those
separation
of
concerns.
A
First,
the
the
files
themselves
have
the
same
exact
same
format,
regardless
of
the
use
being
being
done
on
them.
What
we
see
in
a
lot
of
projects,
it's
it,
might
be
different
locations
inside
the
project
separating
the
the
name
of
the
directories.
In
other
cases,
a
lot
of
the
internal
infrastructure
usually
sits
on
a
different
repository,
some
cases,
even
less
common,
less,
not
always
less
public,
but
usually
not
the
the
main
Repository
but
you're
right.
A
A
F
F
A
A
It
would
be
easier
for
projects
to
to
gather
awareness,
say:
oh
I
I'm,
probably
missing
a
check,
let's
edit,
and
have
time
to
process
the
results
instead
of
starting
with.
Oh,
my
grade
is
so
low.
Why
is
it
and
suddenly
they
have
to
do
everything
in
place?
My
guess
that
would
be
easier
if
you
guys
have
a
feeling
to
do
step
one
and
two
together,
I'm
all
for
it.
F
B
Yeah,
thanks
for
the
presentation,
I
think
it
was
pretty
to
the
point
yeah.
So,
like
my
question
was
about
there.
There
are
like
some
some
checks
that
Kix
has
for
for
a
supply
chain.
Security
issues
so
like
dependency
pending
and
you
know,
I
was
wondering
if
there's
any
like.
If
you
had
thought
about
any
integration
there
or
like
you,
have
any
recommendation
there
on
things
that
could
be
interesting
for
us
to
explore.
A
One
of
the
things
the
team
do
is
also
releasing
proof
concept
of
some
of
the
check.
Sorry,
some
of
the
checks
they
they
didn't
sorry,
some
of
the
checks
to
the
problems
they
noticed.
We
couldn't
incorporate
them
to
things
which
are
relevant
on
the
GitHub
repository
both
on
categories
like
if
the
project
might
have
a
type
confusion
or
could
be,
someone
could
hijack
the
name
of
the
project
because
it
was
renamed
in
the
past.
A
It's
might
be
a
dish,
a
nice
addition
to
scorecards
and,
of
course
we
can
go
over
the
the
other
tools,
the
the
team
released
and
see
how
we
can
integrate
it.
It's
not
necessarily
only
infrastructure
as
code,
but
I
think
that
would
be
a
nice
addition
regarding
supply
chain
security
with
infrastructures,
code
I
think
it
would
be
interesting
so
to
also
follow
on
the
containers
the
the
the
project
produces
and
make
sure
we
aware
what
are
the
official
images
and
in
a
lot
of
cases
it's
might
be
confusing.
A
Usually
when
I
talk
about
such
problems,
I
give
an
example
of
minio.
Whenever
you
search
for
a
minio
container,
you
find
a
big
number
of
results
on
whatever
search
you
do.
Would
it
be
Docker,
Hub
or
any
other
search
engine?
And
it's
not
always
clear,
which
is
the
official
Docker
image
of
the
project
and
what
is
something
other
vendors
create.
A
Some
of
the
big
vendors
and
I
think
it
would
be
interesting
to
tie
the
result
of
the
official
container
to
the
repository
making
sure
we
scored
also
based
on
that.
But
that
also
requires,
in
a
lot
of
cases,
a
tool
to
not
only
scan
the
infrastructure
that
creates
the
container.
That's
calendar
container
itself,
which
is
another
way
to
to
extend
scorecards,
but
tying
the
all
the
different
parts
of
the
artifacts
to
one
location
and
scanning.
All
of
them
might
be
quite
important
for
supply
chain
security.
B
A
A
F
I'm
going
to
speak
for
myself,
I'm
not
going
to
speak
for
the
interim
I
would
say
first
write
an
issue
as
how
and
what
and
then
people
can
also
read
through
it
then
do
asynchronously
instead
of
first
doing
a
VR.
That
would
be
my
tradition
to
like,
whatever
you
presented
right
now,
it'll
be
a
great
point
to
write
an
issue
talk
to
the
face.
Then
there
are
other
contributors,
everybody
who's,
not
in
the
call,
and
even
those
contributors
in
the
call
still
like
to
think
through
the
thought
process
and
move
forward
with
that.
G
F
G
Cool
yeah
I
I
can
speak
for
myself,
I
think
it's
interesting,
I
guess
the
the
devils
and
the
detail,
the
integration
part
is
I.
I
can
see
different
ways
we
can
integrate.
One
is
some
of
the
chicks
that
you
already
have
that
we
can
call
your
library
directly.
That
could
be
one.
The
other
one
is
to
improve
the
sust
check
that
we
have
and
have
more
categories
in
those
checks
like.
Is
it
the
language,
the
programming
language
static
analysis
tool?
Is
it
like
a
linter?
Is
it
a
supply
chain
thing?
G
Is
it
an
infrastructure
as
code
linter,
slash,
static
analysis,
and
then
we
could
also
say
you
know
if,
if
we
find
some
files
that
are
infrastructure
as
good,
it
would
be
great
for
you
as
a
project
to
have
to
use
a
GitHub
action
or
a
tool
to
to
run
checks,
and
then
kicks
could
be
one
of
those
actions
that
we
check
for
I
guess.
A
combination
of
those
would
also
be
possible.
C
Yeah
my
view
is
similar
to
laurent's,
where
I
think
it's
something
where,
if
you
have
infrastructure
as
code
checked
in
somewhere
to
your
repo,
it
makes
sense
to
be
using
a
scanner
and
I.
Think
a
lot
of
the
discussion
will
come
into
how
it
gets
integrated
into
scorecard,
whether
as
a
check
of
its
own
or
part
of
an
existing
check.
F
F
G
F
Okay,
and
also
like
again,
probably
we'll,
have
to
go
read
that
at
least
on
things
like
specifically
like
how
do
you
like
what
drug
I've
asked?
How
do
you
figure
out
the
pen
chart
like
because
that's
that's
according
to
every
repository,
how
do
you
make
sure
they're
pinned
on
what
it
is
and
how
are
you,
how
are
you
at
least
some
links
to
your
docs
so
that
we
can
read
through
and
understand
that
probably
great.
C
C
C
H
Yeah
I'll
go
ahead,
so
I
think
this
shouldn't
be
a
surprise
to
anyone,
but
you
know:
we've
been
talking
about
scorecards
scorecard
being
used
in
multiple
ways
like
in
one
way
in
kind
of
the
first
paragraph
here
the
background
is
like
you
want
to
compare
two
different
projects
that
you
don't
own
in
that
case
as
as
by
Design
scorecard
is
opinionated
on
you
know
what
should
be
turned
on
what
should
be
turned
off.
What
what
correlates
to
what
score
that
way.
H
H
So
in
this
document,
I
attempt
to
cover,
like
those
use
cases
that
that
I'm
describing
here
right
now
and
then
how
these
are
going
to
take
in
things
that
we're
going
to
call
annotations
and
configuration
so
yeah.
If
you
can
scroll
down
to
the
definitions
annotation,
there
is
a
like
a
comment
that
you
would
put
on
a
line
so,
for
example,
on
the
pin
dependency
check,
you
could
say
ignore
this
line.
H
This
I
know
this
is
an
unpin
dependency
but
I'm,
okay,
with
it
similar
thing
for
like
a
dangerous
workflow
or
something
like
that,
and
then
configuration
would
be
a
file,
not
an
annotation
via
file.
Let's
say
scorecard
yaml
where
you
put
settings
for
checks.
So,
for
example
like
in
the
binary
artifacts
check,
you
could
put
a
setting
to
ignore
a
particular
file
or
yeah.
You
can
scroll
down
to
the
configuration
there.
H
H
So
therefore,
and
then
I
have
some
user
Journeys
here,
so
one
is
I
want
to
run
it
on
my
own
project,
so
I
would
want
scorecard,
then
to
take
into
account
these
configurations
that
I
set
in
my
own
project
in
that
scorecard
yaml
file
or
the
annotations.
So,
in
this
case,
I
want
I
want
scorecard
to
show
me
like
my
beautified
score.
That
is
all
the
things
I.
H
Don't
care
about,
removed,
same
thing
with
the
GitHub
action
you
would
kind
of
want
to
see
like
your
code,
scanning
alerts
in
GitHub
reflect
your
annotations
and
your
configuration,
but
we
still
need
to
support
the
other.
You
know
the
main
use
case
or
the
other
use
case
of
scorecard
today
as
I
want
to
run
it
against
somebody
else's
project.
So
we
need
to
have
the
right
chameleon
options
or
default
Behavior
to
ignore
config
and
annotations
these
things.
Might
you
might
not
trust
that
the
other
project
is
using
them
fairly?
H
You
know
somebody
could
just
set
their
config
to
turn
off
all
the
checks
that
they
don't
like
all
right
and
then
give
their
give
themselves
a
10
which
isn't
really
what
we
want.
So
we
need
to.
We
need
to
have
the
ability
to
see
to
see
what
the
these
the
raw
scores
or
the
score
without
the
the
config
and
similarly
All-Star
uses
scorecard
as
a
policy,
so
as
an
org
owner
you'll
want
to
run
scorecard
on
all
the
repos.
H
In
your
org
and
get
issues
for
those-
and
you
may
not
actually
trust
that
by
policy
like
your
your
individual
repos
in
your
org,
so
you
want
to
be
able
to
allow
or
disable
allow
or
not
allow
annotations
or
config
on
each
individual
check.
That's
run
on
all
the
repos
in
your
work,
so
one
thing
I'm
not
covering
here
on
my
pres
on
my
proposal
or
or
in
this
journey-
is:
what
are
we
going
to
show
online
or
in
the
readme
badge?
H
H
So,
if
you
want
to
scroll
down,
I
have
a
chart
yeah
here
so
I'm,
trying
to
kind
of
cover
for
each
check
and
figure
out
what
would
be
the
annotation
or
config.
So
I
did
a
first
pass
on
all
the
all
the
checks.
So,
like
token
permissions,
you
know
you
would
have.
You
could
have
annotations
say,
ignore
this
line
where
I'm,
setting
this
token
permission
or
like
in
Branch
protection,
you
might
decide
I
want
to
allow
admin
override.
H
H
F
Amazing
no
questions
about
this
is
a
great
thing.
One
of
the
questions
that
I
had
is
sorry
I,
probably
didn't
read
through
the
entire
doc.
How
does
it
affect
the
like?
Like
the
specific
use
case,
will
it
will
it
report
both
the
scores?
If,
if
a
GitHub
action
is
like
with
scorecard
action
is
being
configured,
will
it
will
both
the
scores
be
recorded
on
the
API
or
what's
the
type
process
on
that.
H
Yeah,
so
for
the
GitHub
action,
the
only
kind
of
I
mean
I,
guess
in
the
log.
You
can
see
the
findings,
but
the
the
I
think
what
I'm
defining
here
in
the
user
journey
is
that
you
would
not
see
things
that
are
like
commented
out
in
your
code.
Scanning
alerts
for
the
CLI
I
think
it's
Up
For
Debate.
What
we
show
do
we
always
show
both.
Do
we
always
show
do
you
know
or
do
we
you
know
in
which
one
is
the
default?
F
So
on
that
question,
so
take
example:
if
I
depend
on
listen
to,
you
might
depend
on
all
All-Star
I
wanna
I
wanna
me
as
a
scorecard
user
depend
on
this.
Library
called
All-Star
and
I
want
to
keep
track
of
the
score
now.
All-Star
can
be
a
bad
act
or
add
these
additional
stuff
and
for
me
to
get
the
score
I
hit
the
scorecard
API
to
go,
get
the
score
and
all
of
a
sudden,
All-Star
score
turns.
H
Out
to
be
good,
so
right
so
again,
I
I'm
not
defining
that
here.
So
if
we
scroll
down
a
little
bit
for
like
what
I'm
not
defining
on
the
user,
Journey
Spencer
so
outside
the
scope
is
I
want
to
view
scorecard
scores
online
I
think
once
we
have
this,
you
know
we
have
the
ability
to
run
CLI
with
seeing
the
config
and
not
seeing
the
config.
Then
we
need
to
figure
out.
We
need
to
talk
about
answering
these
questions.
H
B
H
F
I'm
building
because
I'm
like
everybody's
trying
to
use
or
people
are
trying
to
use
scorecard
as
an
API.
They
want
to
trust
them,
and-
and
that's
one
thing-
that's
my
only
I
think
we
should
talk
about
that,
because
this
is
a
great
thing,
but
if
we
don't
decide
what
if
we
decide
either
way,
that
should
be
a
point
that
I
would
like
to
talk
about
just
to
make
sure
that
we
are
yeah
but
other
than
that.
It's
great
cool.
Thank
you.
F
Oh
sorry,
I
have
another
one
question:
I
also
saw
about
your
code
annotations
for
doing
that.
I'm
going
I
am
I'm
on
that,
specifically
the
code
annotations
being
from
parsing
code
and
and
also
picking
yaml
as
the
standard.
Those
are
implementation
details.
Have
you
gone
down
the
rabbit
hole
of
that
is
the
only
way
to
go
about
it.
Are
you
still
open
to
ideas
having
some
other
thought
process.
H
G
G
Maybe
you
can
just
we'll
be
able
to
provide
like
file
names,
so
people
can
just
click
on
it
and
and
see
why,
in
the
code
or
like
even
reports
like
the
intent
directly
in
the
scroll
up
results,
so
the
score
wouldn't
change,
but
we
would
give
a
the
opportunity
for
consumers
to
look
at
if
something
fails,
why
does
it
fail?
What's
the
reasoning
from
the
maintenance
point
of
view.
H
C
Yeah
I
was
just
going
to
say
that
people
have
expressed
in
the
past
having
this
sort
of
customizability.
Sorry
I
linked
an
issue
in
the
things,
basically
about
being
able
to
specify
custom
weights
or
ignoring
checks
completely
so
I
think
as
a
feature.
It
makes
sense,
but
reiterating
what
Naveen
and
Laurent
have
saying
just
keeping
the
API
unopinionated
and
or
if
we
do
have
an
opinion.
It's
our
own
scoring.
H
B
G
F
F
C
Thanks
all
right,
thanks,
Jeff
all
right,
so
next
was
just
something
that
got
brought
up
through
a
issue
that
was
filed
where
a
repo
wasn't
getting
results
from
a
security
policy.
They
had
to
sign
or
defined
due
to
a
get
attributes
file,
which
essentially
says
when
I'm
exporting
my
repo
to
a
tarball.
What
do
I
want
to
ignore-
and
it
has
some
effects
on
how
scorecard
can
evaluate
a
repo
seeing
as
right
now,
the
code
downloads,
the
tarball
and
extracts
it.
C
So
anything,
that's
not
in
that
tarball
isn't
available
for
scorecards
analysis,
so
we've
previously
talked
about
go,
get
which
is
a
go
implementation
library
for
git,
so
one
alternative
would
be
downloading
or
cloning
a
repo
through
that
dependency,
so
I
know
Naveen
in
the
past
has
expressed
all
these
open
security
advisories,
but
the
code
is
constantly
at
least
over
the
last
few
weeks,
getting
improved.
So
all
those
advisories
have
been
resolved,
there's
still
no
issue
a
new
release
cut
but
I
think
evaluating
how
we
want
to
sort
of
tackle.
C
This
is
something
that
we
should
look
at
and
I
can
open
an
issue
to
discuss
this
just
keeping
an
eye
on
time
in
terms
of
this
meeting.
But
it
is
just
something
I
wanted
to
mention,
because
it
has
the
implications
of
like
a
repo
being
able
to
be
malicious
in
terms
of
what
they
hide
from
scorecard,
whether
that's
binary,
artifacts,
dangerous
workflows.
That
sort
of
thing.
F
C
F
Okay,
so
we
did
we
added
a
bunch
of
bunch
of
new
features
that
we
don't
have
specific
thing
of
when
we
want
to
cut
a
release
like
not
just
going
and
doing
a
getting
doing
like
cutting
a
release
and
get
up,
but,
like
recently
somebody
is
adding
support
for
gitlab.
All
of
these
great
things
are
coming
up
and
if
we
have
a
Target
date
like
let's
the
reason
I'm
specifically
talking
about
this
is
one
of
the
things
like
expensive.
If
you
don't,
like
you,
click
on
that
specific
PR
yeah.
F
I
want
to
go
work
on
the
specific
feature,
wherein
it'll
be
great
for
scorecard
action
to
be
integrated
into
scorecard
API
to
say,
hey
if
I'm,
depending
on
so
many
dependencies.
How
are
the
scores
of
dependency
so
now
it'll
be
nice
that
if
we
as
a
we
as
a
group,
said
saying
you
know
what
q1
we
should
release,
we
should
release
and
in
this
release
we
should
put
these
things
and
try
and
Target
them
that
that
is
my
thought
process.
F
F
F
The
reason
I'm
saying
is
we're
building
these
great
features,
but
if
we
don't
have
scheduled
release
date
to
say
this
is
the
date
that
we
want
to
release
these
features
in
and
also
come
up
with
hey.
These
are
the
new
features
that
we
built
in
and
have
a
grand
release
for
people
to
know
about
these
things
would
be
a
good
thing.
So
what
I'm
trying
to
say
is,
can
we
pick
say
q1,
March
I'm,
just
picking
something
is
that
is
that
a
I
wanna
I
wanna
set
some
date.
G
Would
say
the
release
that
works
for
you
and
obviously
we
can
help
with
the
reviews.
But
if
you're
excited
about
it,
I
think
just
go
for
it
yeah
and
then
we
can
work
out
like
it
depends
on
your
schedule
when
you
think
that's
kind
of
durable
and
we
can
have
enough
testing
and
then
we
can
have
a
cool
blog
post,
because
I
think
that's
a
very
cool
feature
right.
F
Doing
that
one
obviously
just
doing
that
one
feature
we
are
building
other
stuff
in,
but
if
we
say
hey
buy
q1,
if
you
want
to
release
scorecard
next
action
or
scorecard,
then
do
we
want
to
prioritize
work
and
decide.
You
know
what
this
would
be
a
great
feature
to
add
like
I'm,
just
speaking
an
example,
if
it's
not
the
Jeff,
if
what
Jeff
is
working
on
like
we
can
probably
think
of
releasing
everything
together.
F
F
F
Yep
I
agree,
I
can
I
can
start
and
I
can
start.
It
can
be
before
that
seven
I
mean
on
bb5,
like
I'm,
just
being
an
example,
so
I
can
start
saying,
make
release
and
we
can
decide
what
the
name
is
but
but
tell
people
think
I
also
add
something
we
can
we
can.
We
can
do
this
asynchronously.
Not.
You
know,
asynchronously.
B
G
Enabled
four
card
and
scorecard
to
see
if
anything,
breaks,
yep
right
now,
right
now,
I
see
a
lot
of
API
rate
limiting
being
hits
with
the
GitHub
token
and
I
I,
wonder
whether
that's
a
side
effect
of
running
scorecards
on
every
commit
in
a
full
request
and
I,
don't
I
mean
we
are
very
like
API
consuming
like
we
have
so
many
yes
recently
right.
So
not
everyone
is
going
to
have
that
problem,
but
basically
I
started
this
to
to
see
like
what
kind
of
things
we
already
missing.
That
might
cause
problems.
F
If
we
configure
this
particular
feature
or
say
just
look
at
my
API
look
at
scorecards,
API
and
just
I:
don't
want
you
to
run
every
other
scorecard,
but
just
the
API
results
of
my
dependencies
would
be
a
great
thing
to
say,
because
I'm
I'm
running
I'm
Flying
Blind
right
now.
That
would
be
a
great
addition.
My
two
sense
of
that.
C
I
Yeah
I
just
wanted
to
draw
attention
to
it
real
quick.
We
could
do
the
actual
discussion
in
the
issue
itself,
but
I
want
to
say
last
month
or
the
month
before,
I
brought
up
the
topic
of
scorecard
scan
between
two
releases
to
see.
If
it's
something
that
you
guys,
the
maintainers
would
be
interested
in
some
variant
of
it.
Last
time,
I
brought
it
up.
I
think
there
was
the
oh,
the
concept
of
releases
isn't
really
there
or
scorecard
so
there's.
I
I
F
If
you
don't
like
any
scroll
down
a
little
bit
on
that
issue,
please
probably
probably
that's
another
tracking
issue,
not
there's
probably
another.
One
I
think
I
thought
I
thought
azim
committed
on
that.
Carolyn
sorry
isn't
commit
that
feature
that
recently
got
merged
in.
Wouldn't
that
help
what
you,
what
you're
looking
for.
I
Yeah,
it
definitely
helps
and
I
would
say
that,
like
this
work
would
be
using
the
commit
depth
feature
and
the
work
done
there,
but
this
would
be
just
a
consumer
level.
Change
that
you
could.
You
know,
put
in
the
release
a
and
release
B
and
then
get
the
results
of
the
scan
between
those
two
releases
rather
than
having
to
do
the
math
of
so
we
have
this
commit
and,
like
X,
commits
back
equals
like
release
one
to
release
two.