►
From YouTube: Scorecards Biweekly Sync (December 1, 2022)
A
B
C
Just
going
to
give
it
a
few
more
minutes
for
everyone
to
trickle
in
but
feel
free
to
take
a
look
at
the
agenda
and
add
your
name
to
the
attendee
list.
B
C
C
About
three
after
my
name's
Spencer
I'll
be
facilitating
today's
meeting,
so
I'll
be
sharing
the
stock
and
any
links
that
we
talk
about.
C
C
Just,
let
me
know
I
can
find
the
link,
so
the
first
step
is
usually
to
see
if
we
have
any
new
members.
That
would
like
to
give
a
brief
introduction
it's
optional,
but
if
you
feel
like
it
feel
free
to
give
a
little
introduction.
C
D
Yeah,
this
is
Matt
speakerman
with
Dao.
This
is
my
first
time
attending
this
session
and
I'm
responsible
for
application
security
at
Dao
and
just
looking
to
learn
a
little
bit
more
about
scorecard.
A
My
name
is
leor
Kaplan
I'm
first
time
here
and
I'm
also
going
to
present
I
think
I'm.
One
also
the
first
in
on
the
agenda
and
the
open
source
program
manager
for
check
marks,
check
marks
is
an
application
security
company
and
we
run
an
open
source
project
named
kicks
as
in
keep
infrastructure
as
code
secure
and
that's
also
the
first
topic
on
the
agenda.
C
Nice
yeah
thanks.
So
usually
we
go
through
the
project
and
individual
updates.
First,
so
Brian.
If
you
wanted
to
talk
about
the
openssf
budget,
support.
E
Yeah
I
wasn't
sure
if
that
was
the
right
place,
but
I'd
want
to
get
it
out,
because
it's
a
little
bit
of
good
news.
Actually
and
first,
let
me
preface
with
we're
having
a
bunch
of
conversations
at
the
governing
board
and
tech
level
about
Focus
for
2023
and
really
increasing
our
focus
and
our
balance
of
attention
and
and
and
budget
were
possible
and
and
making
some
staffing
decisions
around
really
trying
to
bring
together
all
the
software
tools
that
are
underneath
the
open
ssf
into
something
like
a
cohesive
Suite
of
tools.
E
I
would
call
it
a
tool
chain
or
something
like
that,
but
build
on.
You
know:
scorecards,
build
on
open
on
the
Sig
store
and
other
things
and
create
something
that,
like
it's
great
stuff,
that
people
embed
into
all
of
their
other
tool
chains
and
systems,
and
that
kind
of
thing
just
by
default
right
and
so
as
a
part
of
that
we've
received
well
actually
not
entirely
directly
related.
E
But
as
part
of
just
a
bunch
of
the
conversations
we've
had
one
member
of
the
open
as
assistant
one
corporate
member
of
open,
ssf
Amazon
web
services
want
to
give
them
full
credit
has
made
a
targeted
donation.
It's
not
a
directed
fund.
It's
not
a
separate
corporate
structure.
It's
simply
a
donation
to
open
ssf
with
a
bit
of
a
nod
towards
the
work
that
this
community
has
been
doing.
That
scorecards
has
been
doing
to.
E
E
That
will
be
able
to
put
to
work
starting
as
soon
as
you'd
like,
but
really
ideas
over
the
next
year
to
in
targeted
ways
to
do
the
kinds
of
things
that
would
help
move
the
project
forward,
whether
that's
because
custom
engineering
or
you
know
paid
for
contract
development
or
Services
work
and
stuff
behind
the
scorecard
API.
E
Frankly,
I
think
it
would
also
apply
to
aggregating
scorecard
in
with
other
measures.
Other
objective
data
to
help
the
broader
stream
2
risk
dashboard
kind
of
question
as
well,
so
it's
not
terribly
defined
or
scoped,
but
it
is
something
that
I
was
was
with
a
knot
towards
the
work
this
community
is
doing
so,
give
us
a
little
bit
of
time
to
figure
out
what
the
appropriate
process
is.
I
do
believe.
E
The
tech
open
subtech
will
want
to
weigh
in
on
how
those
how
that
budget
is
is
distributed,
especially
for
the
larger
ticket
items,
but
I
think
we
can
start
in
this
community
in
this,
in
this
working
group
of
thinking
about
ways
to
effectively
put
funds
to
work,
to
move
the
project
faster
than
it.
Otherwise
might
so.
Merry
Christmas.
C
F
Brian
is
there
a
specific
comment
that
Amazon
made
for
this
Okay?
The
reason
I'm
being
I'm
specifically
asking
is
Brian
Russell
and
I?
Are
writing
a
blog
post
in
GitHub
about
scorecard?
That
would
be
nice
if
they
can
throw
in
there
come,
and
we
can
quote
that.
That's
the
reason.
Don't.
E
Quote
it
yet
I'm!
Sorry,
that's
a
good
good
question.
I
should
have
been
clear.
Give
us
a
chance
to
work
with
Amazon
to
figure
out
what
the
announcement
strategy
for
this
should
be
yeah.
They
were
comfortable
enough
with
it
and
we
have
the
PO.
So
it's
it's
it's
it's
it's
like
fixed,
but
give
us
a
chance
to
figure
out
how
we
want
to
PR
it.
We
will
do
some
sort
of
PR
in
the
next
few
weeks.
E
F
No,
we
don't
want
to.
We
don't
wanna,
not
the
pr
about
the
donation,
but
the
right.
E
C
All
right,
thank
you,
Brian.
So,
as
Leora
mentioned
up
first
on
the
agenda,
is
the
infrastructure
is
code
scorecard
proposal,
so
I
will
stop
sharing
so
that
the
liar
can
take
over.
A
B
A
Just
okay,
so
hi
everyone
I'm
glad
to
see
you
in
this
meeting
is
it.
This
is
my
first
time
feel
free
to
interrupt.
If
you
have
questions
or
missing
one
of
the
procedures
for
for
the
meeting,
I
wanted
to
talk
about
infra,
it's
called
security
as
part
of
scorecard,
and
that's
because
I'm
leading
a
project
in
that
area.
A
It's
recently
I
mean
earlier
this
week
it
reached
1
million,
pulls
on
Docker
Hub.
It's
already
been
adopted
by
gitlab,
it's
the
default
infrastructure.
It's
called
scan
tool
for
them
and,
of
course,
we
use
quite
widely,
and
we
wanted,
as
part
of
kicks
to
to
bring
IX
security
into
scorecards.
B
A
Okay,
I'll
keep
the
presentation
brief,
just
to
touch
the
the
main
points.
A
The
motivation
for
talking
about
infrastockets
code
files
is
that
many
projects
use
it
and
and
use
it
to
facilitate
faster
installation
and,
of
course,
consumption
of
their
project.
We'll
talk
about
these
two
things
in
separately.
We
want
to
verify
that
project
check
the
security
of
these
files,
making
sure
the
artifacts
and
the
community
who
use
them
will
be
safer
and,
of
course,
this
Plato
verses
have
also
supply
chain
security
implications,
which
is
something,
of
course,
is
in
interest
for
open
ssf
in
general.
A
In
scorecard,
specifically,
we
already
saw
a
few
requests
of
that
by
the
community.
I
found
two
issues
on
GitHub
that
mentioned
infrastructure
is
called
scans,
would
it
be
regarding
others,
sus
tools
and,
of
course,
supporting
different
type
of
files.
So
we
see
there's
demand
and
of
course,
that's
coincides
with
my
concept
of
scan.
A
I
wanted
to
talk
a
little
bit
about
the
scope
of
the
of
the
scan
the
project
you
might
use
infrastructure
as
code
for
two
main
categories.
The
first
would
be
the
project
infrastructure,
CI
server,
the
test,
the
containers
for
test
demos
website,
whatever
the
project
needs
and
the
second
category
would
be
the
artifact
the
project
produces
or
the
the
files
that
help
the
project
produce
the
artifacts.
A
It
could
be
container
for
users,
consumption,
the
helm
chart
for
installation,
a
container
being
used
for
the
builds
and
by
that
might
really
influence
the
binaries
or
whatever
artifacts
the
project
has-
and
we
aim
for
the
second
category.
So
we
want
to
make
sure
that
whatever
the
users
consume
or
whatever
effects,
what
the
user
consume
is
being
secure,
we're
not
going
to
test
internal
infrastructure
which
don't
affect
what
the
user
has.
A
A
Okay,
what
we
wanted
to
do
is
first
detect
if
a
repository
have
infrastructures
called
files
and
then
check.
If
there
is
a
security
check
in
place,
we
want
to
warn
users
in
case
those
files
do
exist,
but
there
isn't
a
security
check
in
place,
which
is
something
similar
to
what
we
do
with
dependencies
and
composition.
A
Analysis
tools
still
not
not
talking
about
the
result
of
that
security
check
phase
two
would
be
to
actually
score
the
based
on
the
result
of
the
infrastructure,
as
code
Security
check,
for
example,
scoring
each
critical
result
is
two
point
reduction
from
10
to
0
and
the
high
results.
High
severity
results
as
one
point
reduction,
ignoring
completely
from
medium
low
and
informational
results
in
such
a
security
check,
the
third
phase,
which
will
probably
be
somewhere
in
later
this
year.
A
Of
course,
this
proposal
get
accepted
would
be
to
extend
the
checks
into
GitHub
actions
and
workflows.
A
That's
a
feature
we
plan
for
kicks,
probably
for
q1,
so
we
we
just
want
to
give
it
as
part
of
the
roadmap,
but
it's
still
not
an
implemented
implemented
feature
scorecards
already
today
have
some
interest
in
the
GitHub
action
and
workflow
and
I
think
talking
about
not
only
their
existence,
but
also
their
security
would
be
a
nice
addition
to
what
scorecard
can
check
foreign
just
to
give
some
reference,
as
I
mentioned
earlier,
kicks
is
being
used
by
GitHub
itself,
which
has
about
4
000
Stars
on
their
own
platform,
which
is
of
course
quite
popular.
A
It's
been
used
for
another
two
example:
repositories
red
panda,
which
uses
them
for
a
few
of
their
projects.
I
just
gave
the
main
one
and
Captain,
which
is
also
a
cloud
native
project
and
uses
the
kicks
GitHub
action
to
scan
the
project.
Just
to
give
some
references,
I'll
share
the
the
slides
as
part
of
the
the
agenda
of
the
of
the
meeting,
and
just
to
give
you
some
reference
of
things.
A
We
check
for,
for
example,
developer
best
practices,
best
practices
in
this
case
of
Docker
creation,
Docker
image
creation
same
with
Helm
charts
and,
of
course
the
last
link
is
a
list
of
all.
Our
queries
for
kicks.
Kicks
is
based
on
the
Oppa,
which
is
by
itself
a
cloud
native
project.
We
have
24
more
than
2400
queries,
which
is
the
most
extensive
in
in
the
category
of
industrial
infrastructure,
is
called
scanning
tools
and,
of
course,
it's
all
it's
all
open
source
and
you
can
use
it.
A
No
like
no
key
or
registration
is
needed
to
to
use
it.
You
can
use
the
the
docker
images
for
kicks
to
just
scan
your
project
or,
of
course,
build
it
from
source.
A
I'll
be
happy
to
take
questions.
If
you
have.
G
Yeah
I
I
have
a
quick
question,
so
I
I
have
never
used
kicks
so
I'm,
just
wondering
what
sort
of
integration
with
scorecard
you
have
in
mind.
Do
you
have
a
library?
Do
you
have
a
rest
API
like.
A
So
to
have
a
rest
API,
it
would
mean
we
need
to
to
provide
a
service
and
I.
Think
that
that's
not
the
goal,
although
we
can
provide
one
kicks
itself,
is
written
in,
go
it's
a
it's
a
self-contained
binary.
A
So
what
we
hope
for
is
to
scorecards
in
the
future
phases
to
actually
run
kicks
if
possible.
If
not.
First
check
the
use
kicks
to
to
check
the
existence
of
such
files.
We
can
of
course
make
sure
the
the
relevant
check
is,
is
Made
Easy
through
kicks,
or
if
the
code
needed
to
be
contributed
directly
to
scorecards,
that's
also
an
option
in
later
phrases.
We
would
hope
that
the
the
pro
the
scorecards
would
run
kicks
if
the
project
doesn't
does
so
by
itself.
A
If
the
project
does
so,
we
can
just
read
the
results.
The
project
would
save
I.
Think
the
goal
or
a
sub
goal
of
of
this
idea
is
to
encourage
projects
both
to
to
run
the
Security
check
themselves
and
also
save
the
results.
So
it
would
be
accessible
to
anyone
who
uses
the
project
raising
awareness
even
reading
the
the
GitHub
for
the
project
having
a
GitHub
action
that
actually
runs
the
security
check,
save
the
files
and
exposes
the
data
to
to
the
project
users.
A
Yeah
there's
already
a
GitHub
action,
I
led
it
to
the
slides
I
think
that's
a
good
point
which
I
missed.
It's
already
been
used
and
all
of
these
sorry
gitlab
uses
kicks
directly.
They
run
the
the
binary
while
the
two
other
projects
use
the
GitHub
action.
G
F
Hey
great
thanks
one
of
the
questions
that,
if
you
can
you
go
back
to
go
back
in
your
slide
to
phase
one
of
specifically
on
that,
yes
to
the
creepo
with
IAC
files,
and
you
specifically
mention
a
couple
of
things
in
this-
you
said:
hey,
there
are
IEC
files.
Developing
the
project
could
use
an
issue.
Project
could
produce
correct.
It's
just
trying
to
make
the
make
sure
the
industry.
F
How
are
you
able
to
identify
the
account
charts,
like
example,
I'm,
just
picking
examples
scorecard
being
consumer
of
the
home
chart
versus
scorecard
called
producing
hulksharp?
How
are
you
going
to
identify
two
differences
because
that's
going
to
be
because
that's
that's
the
goal
or
one
of
the
goals
to
make
sure
what
what
that
project
reduces.
What
how
are
you
able
to?
How
are
you
able
to
identify
those
separation
of
concerns.
A
First,
the
the
files
themselves
have
the
same
exact
same
format,
regardless
of
the
use
being
being
done
on
them.
What
we
see
in
a
lot
of
projects,
it's
it,
might
be
different
locations
inside
the
project
separating
the
the
name
of
the
directories.
In
other
cases,
a
lot
of
the
internal
infrastructure
usually
sits
on
a
different
repository,
some
cases,
even
less
common,
less,
not
always
less
public,
but
usually
not
the
the
main
Repository
but
you're
right.
A
If
they
put
everything
in
One
Directory,
it
would
be
a
little
bit
harder
to
to
separate
the
the
two
I
think.
The
best
way
is
to
ask
the
project
to
to
and
ignore
rules
for
the
files
which
are
not
relevant,
because
we
don't
want
to
score
them
based
on
things
which
are
internal
only.
A
Yes,
kicks
can
be
imported
into
into
whatever
go
program.
That's
not
a
problem,
that's
also
being
used
by
some
others.
F
Okay
and
your
end,
I'm
sorry
I'm,
jumping
the
gun,
I
see
your
face
to
recommendation
being
0.21.1.
F
Is
there
a
specific
reason
that
you
came
up
with
that
and
is
that
is
that?
Is
that
only
a
proposal,
or
are
you
open
to.
A
The
idea
to
separate
the
phases
is
to
first
give
project
more
time
to
to
change
and
not
to
get
to
a
phase
when
we
jump
from
no
check
about
infrastructures
code
to
scoring
them
lower
because
of
that
I
think
it's
also
good
to
to
give
that
process.
Sorry
to
do
that
process
more
gradually.
A
It
would
be
easier
for
projects
to
to
gather
awareness,
say:
oh
I
I'm,
probably
missing
a
check,
let's
edit,
and
have
time
to
process
the
results
instead
of
starting
with.
Oh,
my
grade
is
so
low.
Why
is
it
and
suddenly
they
have
to
do
everything
in
place?
My
guess
that
would
be
easier
if
you
guys
have
a
feeling
to
do
step
one
and
two
together,
I'm
all
for
it.
F
Because,
at
least
at
this
moment
we
don't
have
a
way
to
say,
add
a
new
check
and
without
having
any
scoring.
Probably
we've
got
to
change
the
code
for
that,
but
I'm
just
wondering
okay
sounds
good.
Thank
you.
So.
C
I
forgot:
did
you
still
have
a
question.
B
Yeah,
thanks
for
the
presentation,
I
think
it
was
pretty
to
the
point
yeah.
So,
like
my
question
was
about
there.
There
are
like
some
some
checks
that
Kix
has
for
for
a
supply
chain.
Security
issues
so
like
dependency
pending
and
you
know,
I
was
wondering
if
there's
any
like.
If
you
had
thought
about
any
integration
there
or
like
you,
have
any
recommendation
there
on
things
that
could
be
interesting
for
us
to
explore.
A
A
One
of
the
things
the
team
do
is
also
releasing
proof
concept
of
some
of
the
check.
Sorry,
some
of
the
checks
they
they
didn't
sorry,
some
of
the
checks
to
the
problems
they
noticed.
We
couldn't
incorporate
them
to
things
which
are
relevant
on
the
GitHub
repository
both
on
categories
like
if
the
project
might
have
a
type
confusion
or
could
be,
someone
could
hijack
the
name
of
the
project
because
it
was
renamed
in
the
past.
A
We
saw
that
some
projects
are
using
or
or
might
be
affected
by
a
pastor
rename
of
the
either
the
the
user
that
holds
the
the
project
repository
or
the
of
the
repository
name,
and
someone
can
re-register
the
old
name
and
by
that
hijack
some
of
the
references
we
actually
saw
a
few,
a
few
cases
of
that
which
is
things
which
relatively
easy
to
check
it's.
A
It's
might
be
a
dish,
a
nice
addition
to
scorecards
and,
of
course
we
can
go
over
the
the
other
tools,
the
the
team
released
and
see
how
we
can
integrate
it.
It's
not
necessarily
only
infrastructure
as
code,
but
I
think
that
would
be
a
nice
addition
regarding
supply
chain
security
with
infrastructures,
code
I
think
it
would
be
interesting
so
to
also
follow
on
the
containers
the
the
the
project
produces
and
make
sure
we
aware
what
are
the
official
images
and
in
a
lot
of
cases
it's
might
be
confusing.
A
Usually
when
I
talk
about
such
problems,
I
give
an
example
of
minio.
Whenever
you
search
for
a
minio
container,
you
find
a
big
number
of
results
on
whatever
search
you
do.
Would
it
be
Docker,
Hub
or
any
other
search
engine?
And
it's
not
always
clear,
which
is
the
official
Docker
image
of
the
project
and
what
is
something
other
vendors
create.
A
Some
of
the
big
vendors
and
I
think
it
would
be
interesting
to
tie
the
result
of
the
official
container
to
the
repository
making
sure
we
scored
also
based
on
that.
But
that
also
requires,
in
a
lot
of
cases,
a
tool
to
not
only
scan
the
infrastructure
that
creates
the
container.
That's
calendar
container
itself,
which
is
another
way
to
to
extend
scorecards,
but
tying
the
all
the
different
parts
of
the
artifacts
to
one
location
and
scanning.
All
of
them
might
be
quite
important
for
supply
chain
security.
B
A
F
A
We'll
be
more
than
happy
to
to
help
both
we
contributed.
Some
of
the
code
will,
of
course,
need
some
guidance
from
the
core
team.
Obviously
you
know
scorecard
better
than
newcomers.
Will
we
gladly
help
with
creating
of
those?
We
have
the
kicks
team
ready
and
willing
to
help.
F
I'm
going
to
speak
for
myself,
I'm
not
going
to
speak
for
the
interim
I
would
say
first
write
an
issue
as
how
and
what
and
then
people
can
also
read
through
it
then
do
asynchronously
instead
of
first
doing
a
VR.
That
would
be
my
tradition
to
like,
whatever
you
presented
right
now,
it'll
be
a
great
point
to
write
an
issue
talk
to
the
face.
Then
there
are
other
contributors,
everybody
who's,
not
in
the
call,
and
even
those
contributors
in
the
call
still
like
to
think
through
the
thought
process
and
move
forward
with
that.
A
Thank
you
very
much,
I
I
think
it
will
be
interesting
to
to
hear
the
the
thoughts
of
people
on
the
call,
let's
say
an
unofficial
goal
and
everyone
in
favor,
and
then
we
can
of
course,
move
the
discussion
to
a
GitHub
issue.
G
F
I
think
his
question
was
to
do:
does
anybody
object
or
reject
the
idea,
or
do
we
have,
and
at
least
a
buy-in
again
I'm,
not
speaking
for
I'm,
just
trying
to
summarize
what
he
mentioned?
Okay,.
G
Cool
yeah
I
I
can
speak
for
myself,
I
think
it's
interesting,
I
guess
the
the
devils
and
the
detail,
the
integration
part
is
I.
I
can
see
different
ways
we
can
integrate.
One
is
some
of
the
chicks
that
you
already
have
that
we
can
call
your
library
directly.
That
could
be
one.
The
other
one
is
to
improve
the
sust
check
that
we
have
and
have
more
categories
in
those
checks
like.
Is
it
the
language,
the
programming
language
static
analysis
tool?
Is
it
like
a
linter?
Is
it
a
supply
chain
thing?
G
Is
it
an
infrastructure
as
code
linter,
slash,
static
analysis,
and
then
we
could
also
say
you
know
if,
if
we
find
some
files
that
are
infrastructure
as
good,
it
would
be
great
for
you
as
a
project
to
have
to
use
a
GitHub
action
or
a
tool
to
to
run
checks,
and
then
kicks
could
be
one
of
those
actions
that
we
check
for
I
guess.
A
combination
of
those
would
also
be
possible.
C
Yeah
my
view
is
similar
to
laurent's,
where
I
think
it's
something
where,
if
you
have
infrastructure
as
code
checked
in
somewhere
to
your
repo,
it
makes
sense
to
be
using
a
scanner
and
I.
Think
a
lot
of
the
discussion
will
come
into
how
it
gets
integrated
into
scorecard,
whether
as
a
check
of
its
own
or
part
of
an
existing
check.
F
Adding
additional
checks
is
at
least
I'm
I'm
speaking
for
myself.
We
can
obviously
do
it.
I
would
rather
have
this
in
SAS
because
we
already
have
about
12
30
Jegs.
Unless
this
this
happened
to
be
a
large
category
all
by
itself,
just
picking
randomly
from
make
up
my
head
and
that's.
A
So
so
I
think
that
in
phase
one
putting
that
as
part
of
the
subject
make
complete
sense,
when
we
extend
to
phase
two
I'm,
not
too
worried
the
balance
to
where
it
would
evolve
to
create
a
different
category.
F
G
Yeah
in
the
issue,
if
you
could
also
list
the
sort
of
features
that
you
have,
because
not
everyone
is
aware
of
all
the
features
you
have
like.
You
know
supply
chain,
not
supply
chain,
and
let
me
call.
F
Okay,
and
also
like
again,
probably
we'll,
have
to
go
read
that
at
least
on
things
like
specifically
like
how
do
you
like
what
drug
I've
asked?
How
do
you
figure
out
the
pen
chart
like
because
that's
that's
according
to
every
repository,
how
do
you
make
sure
they're
pinned
on
what
it
is
and
how
are
you,
how
are
you
at
least
some
links
to
your
docs
so
that
we
can
read
through
and
understand
that
probably
great.
C
Yeah
I
think
thanks
again
Leo
for
presenting
thank
you
yeah.
If
you
could
make
sure
the
slide
deck
link
ends
up
in
the
agenda
notes.
That
would
be
helpful.
C
All
right
so
I
should
have
the
agenda
up
again.
So
Jeff
has
a
document
for
a
scorecard
ux
for
annotations.
C
H
Yeah
I'll
go
ahead,
so
I
think
this
shouldn't
be
a
surprise
to
anyone,
but
you
know:
we've
been
talking
about
scorecards
scorecard
being
used
in
multiple
ways
like
in
one
way
in
kind
of
the
first
paragraph
here
the
background
is
like
you
want
to
compare
two
different
projects
that
you
don't
own
in
that
case
as
as
by
Design
scorecard
is
opinionated
on
you
know
what
should
be
turned
on
what
should
be
turned
off.
What
what
correlates
to
what
score
that
way.
H
When
you
see
two
different
scores,
you
know
that
those
are
like
fairly
calculated
and
higher
score
on.
One
project
means
it's
more
secure,
essentially,
but
another
really
great
use
case
for
scorecard
and
the
one
that
we
recommend
with
the
get
of
action.
Etc
is
for
you
to
run
it
on
your
own
project.
H
In
this
case,
you
know,
yeah,
you
see
what
the
public
score
would
be
like
you,
if
your
if
your
Project's
a
five
and
you
run
scorecard,
and
you
get
a
five
right,
but
maybe
you
want
you
know
you,
don't
you
don't
care
about
some
of
the
checks
or
you
don't
care
about
some
of
the
findings,
and
you
want
to
continue
to
use
scorecard
as
a
tool
to
monitor
your
project
for
regressions
or
anything
else
like
that.
H
So
in
this
case
and
and
what
we've
seen
people
ask
when
we
ask
them
to
try
scorecard,
is
that
they
want
to
be
able
to
configure
the
checks
whether
that
means
ignores
particular
finding
or
ignore,
like
turn
off
a
portion
of
a
check
like
a
whole
rule
or
completely
disable
a
check,
and
just
give
me
like
the
score
without
that
check,
for
example.
H
So
in
this
document,
I
attempt
to
cover,
like
those
use
cases
that
that
I'm
describing
here
right
now
and
then
how
these
are
going
to
take
in
things
that
we're
going
to
call
annotations
and
configuration
so
yeah.
If
you
can
scroll
down
to
the
definitions
annotation,
there
is
a
like
a
comment
that
you
would
put
on
a
line
so,
for
example,
on
the
pin
dependency
check,
you
could
say
ignore
this
line.
H
This
I
know
this
is
an
unpin
dependency
but
I'm,
okay,
with
it
similar
thing
for
like
a
dangerous
workflow
or
something
like
that,
and
then
configuration
would
be
a
file,
not
an
annotation
via
file.
Let's
say
scorecard
yaml
where
you
put
settings
for
checks.
So,
for
example
like
in
the
binary
artifacts
check,
you
could
put
a
setting
to
ignore
a
particular
file
or
yeah.
You
can
scroll
down
to
the
configuration
there.
H
You
know
for
the
fuzzing
or
the
vulnerability
check.
You
might
say
like
ignore
this
vulnerability,
that's
being
found,
it's
it's
a
bogus.
H
So
therefore,
and
then
I
have
some
user
Journeys
here,
so
one
is
I
want
to
run
it
on
my
own
project,
so
I
would
want
scorecard,
then
to
take
into
account
these
configurations
that
I
set
in
my
own
project
in
that
scorecard
yaml
file
or
the
annotations.
So,
in
this
case,
I
want
I
want
scorecard
to
show
me
like
my
beautified
score.
That
is
all
the
things
I.
H
Don't
care
about,
removed,
same
thing
with
the
GitHub
action
you
would
kind
of
want
to
see
like
your
code,
scanning
alerts
in
GitHub
reflect
your
annotations
and
your
configuration,
but
we
still
need
to
support
the
other.
You
know
the
main
use
case
or
the
other
use
case
of
scorecard
today
as
I
want
to
run
it
against
somebody
else's
project.
So
we
need
to
have
the
right
chameleon
options
or
default
Behavior
to
ignore
config
and
annotations
these
things.
Might
you
might
not
trust
that
the
other
project
is
using
them
fairly?
H
You
know
somebody
could
just
set
their
config
to
turn
off
all
the
checks
that
they
don't
like
all
right
and
then
give
their
give
themselves
a
10
which
isn't
really
what
we
want.
So
we
need
to.
We
need
to
have
the
ability
to
see
to
see
what
the
these
the
raw
scores
or
the
score
without
the
the
config
and
similarly
All-Star
uses
scorecard
as
a
policy,
so
as
an
org
owner
you'll
want
to
run
scorecard
on
all
the
repos.
H
In
your
org
and
get
issues
for
those-
and
you
may
not
actually
trust
that
by
policy
like
your
your
individual
repos
in
your
org,
so
you
want
to
be
able
to
allow
or
disable
allow
or
not
allow
annotations
or
config
on
each
individual
check.
That's
run
on
all
the
repos
in
your
work,
so
one
thing
I'm
not
covering
here
on
my
pres
on
my
proposal
or
or
in
this
journey-
is:
what
are
we
going
to
show
online
or
in
the
readme
badge?
H
So
you
know
we
could
take
into
account
some
or
some
of
the
config
or
none
of
the
config
I.
Think
that's
a
that's
a
another
topic
that
we'll
cover
later.
H
So,
if
you
want
to
scroll
down,
I
have
a
chart
yeah
here
so
I'm,
trying
to
kind
of
cover
for
each
check
and
figure
out
what
would
be
the
annotation
or
config.
So
I
did
a
first
pass
on
all
the
all
the
checks.
So,
like
token
permissions,
you
know
you
would
have.
You
could
have
annotations
say,
ignore
this
line
where
I'm,
setting
this
token
permission
or
like
in
Branch
protection,
you
might
decide
I
want
to
allow
admin
override.
H
H
So
I
don't
have
the
the
definitions.
If
you,
if
you
scroll
down
on
the
dock
you'll
see
like
you,
know,
I'm,
not
proposing
the
exact
definitions
here,
I
think
that's
that's
can
be
worked
out
like
what
are
the
CL
option.
H
Cli
option
would
look
like:
what's
the
default
Behavior,
what's
the
actual
scorecard
enamel
definition,
I
wanted
to
get
some
feedback
and
see
if
this
is,
if
I'm
in
the
moving
in
the
right
direction,
for
how
scorecard
would
possibly
take
into
account
config
and
annotations
and
get
communities
get
get
some
buy-in
and
if
so,
then,
to
these
definitions
and
in
proposals
and
issues
on
the
on
the
repo
yeah.
H
So
hopefully,
that
covers
kind
of
like
where
I'm,
where
I'm
working
on
what
I'm
getting
started
on
and
and
then
I'll
get
this
into
an
issue
as
well,
so
that
we
can
get
comments.
You
can
comment
on
the
doc
or
comment
in
GitHub.
Naveen,
see
your
hand
up
perfect.
F
Amazing
no
questions
about
this
is
a
great
thing.
One
of
the
questions
that
I
had
is
sorry
I,
probably
didn't
read
through
the
entire
doc.
How
does
it
affect
the
like?
Like
the
specific
use
case,
will
it
will
it
report
both
the
scores?
If,
if
a
GitHub
action
is
like
with
scorecard
action
is
being
configured,
will
it
will
both
the
scores
be
recorded
on
the
API
or
what's
the
type
process
on
that.
H
Yeah,
so
for
the
GitHub
action,
the
only
kind
of
I
mean
I,
guess
in
the
log.
You
can
see
the
findings,
but
the
the
I
think
what
I'm
defining
here
in
the
user
journey
is
that
you
would
not
see
things
that
are
like
commented
out
in
your
code.
Scanning
alerts
for
the
CLI
I
think
it's
Up
For
Debate.
What
we
show
do
we
always
show
both.
Do
we
always
show
do
you
know
or
do
we
you
know
in
which
one
is
the
default?
F
So
on
that
question,
so
take
example:
if
I
depend
on
listen
to,
you
might
depend
on
all
All-Star
I
wanna
I
wanna
me
as
a
scorecard
user
depend
on
this.
Library
called
All-Star
and
I
want
to
keep
track
of
the
score
now.
All-Star
can
be
a
bad
act
or
add
these
additional
stuff
and
for
me
to
get
the
score
I
hit
the
scorecard
API
to
go,
get
the
score
and
all
of
a
sudden,
All-Star
score
turns.
H
Out
to
be
good,
so
right
so
again,
I
I'm
not
defining
that
here.
So
if
we
scroll
down
a
little
bit
for
like
what
I'm
not
defining
on
the
user,
Journey
Spencer
so
outside
the
scope
is
I
want
to
view
scorecard
scores
online
I
think
once
we
have
this,
you
know
we
have
the
ability
to
run
CLI
with
seeing
the
config
and
not
seeing
the
config.
Then
we
need
to
figure
out.
We
need
to
talk
about
answering
these
questions.
H
B
H
And
same
thing
with
that,
with
that
read
me
like:
what
do
we
show
there?
I
don't
know:
oh
right.
H
F
I'm
building
because
I'm
like
everybody's
trying
to
use
or
people
are
trying
to
use
scorecard
as
an
API.
They
want
to
trust
them,
and-
and
that's
one
thing-
that's
my
only
I
think
we
should
talk
about
that,
because
this
is
a
great
thing,
but
if
we
don't
decide
what
if
we
decide
either
way,
that
should
be
a
point
that
I
would
like
to
talk
about
just
to
make
sure
that
we
are
yeah
but
other
than
that.
It's
great
cool.
Thank
you.
F
Oh
sorry,
I
have
another
one
question:
I
also
saw
about
your
code
annotations
for
doing
that.
I'm
going
I
am
I'm
on
that,
specifically
the
code
annotations
being
from
parsing
code
and
and
also
picking
yaml
as
the
standard.
Those
are
implementation
details.
Have
you
gone
down
the
rabbit
hole
of
that
is
the
only
way
to
go
about
it.
Are
you
still
open
to
ideas
having
some
other
thought
process.
H
Yeah,
it's
certainly
open
to
ideas.
Okay,
just.
H
G
G
G
Maybe
you
can
just
we'll
be
able
to
provide
like
file
names,
so
people
can
just
click
on
it
and
and
see
why,
in
the
code
or
like
even
reports
like
the
intent
directly
in
the
scroll
up
results,
so
the
score
wouldn't
change,
but
we
would
give
a
the
opportunity
for
consumers
to
look
at
if
something
fails,
why
does
it
fail?
What's
the
reasoning
from
the
maintenance
point
of
view.
H
C
Yeah
I
was
just
going
to
say
that
people
have
expressed
in
the
past
having
this
sort
of
customizability.
Sorry
I
linked
an
issue
in
the
things,
basically
about
being
able
to
specify
custom
weights
or
ignoring
checks
completely
so
I
think
as
a
feature.
It
makes
sense,
but
reiterating
what
Naveen
and
Laurent
have
saying
just
keeping
the
API
unopinionated
and
or
if
we
do
have
an
opinion.
It's
our
own
scoring.
C
That
has
been
the
status
quo,
but
just
giving
people
the
ability
to
configure
it
for
their
own
uses
without
impacting
everyone
else
sounds
great.
H
Great
yeah
should
we
should
I
go
ahead,
and
just
you
know,
if
that's
if
that's
our
our
idea
here,
is
that
we
absolutely
don't
want
to
take
any
annotations
or
config
into
account
on
the
API
results.
H
Should
I
go
ahead
and
put
that
in
the
proposal
here
that
we're
going
to
essentially
just
we
would
ignore
it.
Foreign.
B
G
F
I
know
we
are
sorry,
I
I
know
we
are
running.
Probably
this
needs
again.
Probably
this
needs
for
30
minutes
of
discussion.
Can
we
take
all
this
for
the
next
call,
because
we've
got
amazing
great
ideas
in
this,
like.
F
C
Thanks
all
right,
thanks,
Jeff
all
right,
so
next
was
just
something
that
got
brought
up
through
a
issue
that
was
filed
where
a
repo
wasn't
getting
results
from
a
security
policy.
They
had
to
sign
or
defined
due
to
a
get
attributes
file,
which
essentially
says
when
I'm
exporting
my
repo
to
a
tarball.
What
do
I
want
to
ignore-
and
it
has
some
effects
on
how
scorecard
can
evaluate
a
repo
seeing
as
right
now,
the
code
downloads,
the
tarball
and
extracts
it.
C
So
anything,
that's
not
in
that
tarball
isn't
available
for
scorecards
analysis,
so
we've
previously
talked
about
go,
get
which
is
a
go
implementation
library
for
git,
so
one
alternative
would
be
downloading
or
cloning
a
repo
through
that
dependency,
so
I
know
Naveen
in
the
past
has
expressed
all
these
open
security
advisories,
but
the
code
is
constantly
at
least
over
the
last
few
weeks,
getting
improved.
So
all
those
advisories
have
been
resolved,
there's
still
no
issue
a
new
release
cut
but
I
think
evaluating
how
we
want
to
sort
of
tackle.
C
This
is
something
that
we
should
look
at
and
I
can
open
an
issue
to
discuss
this
just
keeping
an
eye
on
time
in
terms
of
this
meeting.
But
it
is
just
something
I
wanted
to
mention,
because
it
has
the
implications
of
like
a
repo
being
able
to
be
malicious
in
terms
of
what
they
hide
from
scorecard,
whether
that's
binary,
artifacts,
dangerous
workflows.
That
sort
of
thing.
F
Thanks
Spencer
Ortiz
on
that
specifically
I
saw
that
that
the
accepted
the
patch
for
lots
of
things
at
least
one
big
one
PR
to
solve
that
problem,
which
is
great
probably.
But
it's
a
good
thing
that
you're
keeping
track
of
things.
C
All
right
so
yeah
I'll
follow
up
with
an
issue,
so
we
can
have
an
async
discussion
offline,
but
in
the
interest
of
time
Naveen.
If
you
want
to
take
next
scorecard
release
planning.
Yes,.
F
Okay,
so
we
did
we
added
a
bunch
of
bunch
of
new
features
that
we
don't
have
specific
thing
of
when
we
want
to
cut
a
release
like
not
just
going
and
doing
a
getting
doing
like
cutting
a
release
and
get
up,
but,
like
recently
somebody
is
adding
support
for
gitlab.
All
of
these
great
things
are
coming
up
and
if
we
have
a
Target
date
like
let's
the
reason
I'm
specifically
talking
about
this
is
one
of
the
things
like
expensive.
If
you
don't,
like
you,
click
on
that
specific
PR
yeah.
F
I
want
to
go
work
on
the
specific
feature,
wherein
it'll
be
great
for
scorecard
action
to
be
integrated
into
scorecard
API
to
say,
hey
if
I'm,
depending
on
so
many
dependencies.
How
are
the
scores
of
dependency
so
now
it'll
be
nice
that
if
we
as
a
we
as
a
group,
said
saying
you
know
what
q1
we
should
release,
we
should
release
and
in
this
release
we
should
put
these
things
and
try
and
Target
them
that
that
is
my
thought
process.
F
We
don't
have
to
do
this.
Synchronously
we
can
do
this
asynchronously,
but
I
can
start.
I
know
Lauren
had
done
this
in
the
past,
but
can
we
pick
it
up
and
start
doing
that?
Does
anybody
see
that
as
an
issue
I
just
want
to
bring
this
up.
F
F
The
reason
I'm
saying
is
we're
building
these
great
features,
but
if
we
don't
have
scheduled
release
date
to
say
this
is
the
date
that
we
want
to
release
these
features
in
and
also
come
up
with
hey.
These
are
the
new
features
that
we
built
in
and
have
a
grand
release
for
people
to
know
about
these
things
would
be
a
good
thing.
So
what
I'm
trying
to
say
is,
can
we
pick
say
q1,
March
I'm,
just
picking
something
is
that
is
that
a
I
wanna
I
wanna
set
some
date.
F
G
Would
say
the
release
that
works
for
you
and
obviously
we
can
help
with
the
reviews.
But
if
you're
excited
about
it,
I
think
just
go
for
it
yeah
and
then
we
can
work
out
like
it
depends
on
your
schedule
when
you
think
that's
kind
of
durable
and
we
can
have
enough
testing
and
then
we
can
have
a
cool
blog
post,
because
I
think
that's
a
very
cool
feature
right.
F
Doing
that
one
obviously
just
doing
that
one
feature
we
are
building
other
stuff
in,
but
if
we
say
hey
buy
q1,
if
you
want
to
release
scorecard
next
action
or
scorecard,
then
do
we
want
to
prioritize
work
and
decide.
You
know
what
this
would
be
a
great
feature
to
add
like
I'm,
just
speaking
an
example,
if
it's
not
the
Jeff,
if
what
Jeff
is
working
on
like
we
can
probably
think
of
releasing
everything
together.
F
F
And
I
can
take
a
stab,
I
can
take
a
stab
and
say
hey
this
release
and
people
can
commit
to
it
and
we
can
go
from
there.
Spencer.
C
Yeah
personally,
I
I
think
it
makes
sense
to
I
guess
Define
priorities
scorecard
has
because
like
right
now,
if
we
were
to
look
at
what
like
a
V5
version,
a
scorecard
might
look
like
there's
a
ton
of
little
stuff,
but
I
I
think
it
helps
to
have
big
driving
features
that
might
sort
of
Mark
the
point
between
Windows
V4
turn
into
V5,
and
maybe
that's
the
gitlab
support,
that's
being
worked
on
or
something
like
this
dependency
diff.
F
Yep
I
agree,
I
can
I
can
start
and
I
can
start.
It
can
be
before
that
seven
I
mean
on
bb5,
like
I'm,
just
being
an
example,
so
I
can
start
saying,
make
release
and
we
can
decide
what
the
name
is
but
but
tell
people
think
I
also
add
something
we
can
we
can.
We
can
do
this
asynchronously.
Not.
You
know,
asynchronously.
G
Yeah,
there's
also
an
issue
in
this
production
about
for
this
to
work,
we
have
to
enable
to
requests.
B
G
Enabled
four
card
and
scorecard
to
see
if
anything,
breaks,
yep
right
now,
right
now,
I
see
a
lot
of
API
rate
limiting
being
hits
with
the
GitHub
token
and
I
I,
wonder
whether
that's
a
side
effect
of
running
scorecards
on
every
commit
in
a
full
request
and
I,
don't
I
mean
we
are
very
like
API
consuming
like
we
have
so
many
yes
recently
right.
So
not
everyone
is
going
to
have
that
problem,
but
basically
I
started
this
to
to
see
like
what
kind
of
things
we
already
missing.
That
might
cause
problems.
G
I
haven't
looked
into
it.
Yes,.
F
Absolutely
again,
I'm
I'm
talking
about
that
specifically,
even
if
even
if
you
have
this
feature,
not
that
everybody
needs
to
enable
this
feature
but
providing
that
option
people
to
enable
that
like
I
could
be
a
small
repo
that
I
could
I
could
run
and
if
I'm
hitting
weight,
limiting
I
can
I
can
decide
what
I
want
and
what
I
don't
want
again
with
the
scorecard
action.
F
If
we
configure
this
particular
feature
or
say
just
look
at
my
API
look
at
scorecards,
API
and
just
I:
don't
want
you
to
run
every
other
scorecard,
but
just
the
API
results
of
my
dependencies
would
be
a
great
thing
to
say,
because
I'm
I'm
running
I'm
Flying
Blind
right
now.
That
would
be
a
great
addition.
My
two
sense
of
that.
F
Makes
sense,
cool,
okay,
I'm
going
to
work
on
this,
just
giving
there's
probably
going
to
be
some
PRS
coming
in.
C
I
Yeah
I
just
wanted
to
draw
attention
to
it
real
quick.
We
could
do
the
actual
discussion
in
the
issue
itself,
but
I
want
to
say
last
month
or
the
month
before,
I
brought
up
the
topic
of
scorecard
scan
between
two
releases
to
see.
If
it's
something
that
you
guys,
the
maintainers
would
be
interested
in
some
variant
of
it.
Last
time,
I
brought
it
up.
I
think
there
was
the
oh,
the
concept
of
releases
isn't
really
there
or
scorecard
so
there's.
I
I
Does
it
fit
within
your
vision
and
yeah?
We
don't
have
to
actually
do
the
discussion
here,
but
wanted
to
revive
this
issue,
and
if
you
could
put
down
a
comment
in
the
issue
of
where
your
mind
is
at
and
if
there
has
been
any
difference
in
your
opinion
since
commit
depth
has
been
completed.
I
That
would
be
really
appreciated.
Thanks,
expensive.
F
If
you
don't
like
any
scroll
down
a
little
bit
on
that
issue,
please
probably
probably
that's
another
tracking
issue,
not
there's
probably
another.
One
I
think
I
thought
I
thought
azim
committed
on
that.
Carolyn
sorry
isn't
commit
that
feature
that
recently
got
merged
in.
Wouldn't
that
help
what
you,
what
you're
looking
for.
I
Yeah,
it
definitely
helps
and
I
would
say
that,
like
this
work
would
be
using
the
commit
depth
feature
and
the
work
done
there,
but
this
would
be
just
a
consumer
level.
Change
that
you
could.
You
know,
put
in
the
release
a
and
release
B
and
then
get
the
results
of
the
scan
between
those
two
releases
rather
than
having
to
do
the
math
of
so
we
have
this
commit
and,
like
X,
commits
back
equals
like
release
one
to
release
two.
I
C
Yeah
I
think
between
being
able
to
specify
a
commit
and
commit
death.
The
issue
of
specifying
a
diff
release
is
sort
of
just
like
a
wrapper
on
top
of
it
for
more
user-friendly
interface
is
what
I'm
understanding
yep.
I
F
If
I'm
not
dragging
I,
do
remember,
is
he
mentioning
this
scorecard
looks
everything
is
coming
shots
and
releases,
not
a
good
job
or
say
I
think
my
memory
is
not
a
great,
at
least
on
that
and
that's
one
of
the
reasons
scorecard
reduces
everything
to
be
coming,
and
that
was
one
of
which
I
kind
of
agreed
to
that.
I
I
But
yeah
I
know
we're
over,
so
we
don't
have
to
make
that
decision
right
now.
We
can
chat
about
it
in
the
issue
itself.
C
All
right
thanks,
Carolyn,
all
right,
so
that
brings
us
to
the
end
of
our
time.
We're
over
a
few
minutes
and
agenda
so
feel
free
to
comment
on
these
issues
that
we've
discussed
today
and
then
our
next
meeting
I
think
is
December
15th,
where
we're
starting
to
get
into
some
of
the
the
holiday.