📖 Fix documentation typos (ossf#3505)

* fix typo

Signed-off-by: omahs <[email protected]>

* fix typos

Signed-off-by: omahs <[email protected]>

* fix typo

Signed-off-by: omahs <[email protected]>

* fix typo

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: omahs <[email protected]>

* fix typos

Signed-off-by: omahs <[email protected]>

---------

Signed-off-by: omahs <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>

README.md

@@ -94,7 +94,7 @@ metrics. Prominent projects that use Scorecard include:
 
 ### View a Project's Score
 
-To see scores for projects regually scanned by Scorecard, navigate to the webviewer, replacing the placeholder text with the platform, user/org, and repository name: 
+To see scores for projects regularly scanned by Scorecard, navigate to the webviewer, replacing the placeholder text with the platform, user/org, and repository name: 
 https://securityscorecards.dev/viewer/?uri=<github_or_gitlab>.com/<user_name_or_org>/<repository_name>.
 
 For example: 

docs/checks.md

@@ -83,7 +83,7 @@ Different types of branch protection protect against different risks:
 
     - requiring two or more reviewers protects even more from the insider risk 
     whereby a compromised contributor can be used by an attacker to LGTM 
-    the attacker PR and inject a malicious code as if it was legitm.
+    the attacker PR and inject a malicious code as if it was legit.
 
   - Prevent force push: prevents use of the `--force` command on public
     branches, which overwrites code irrevocably. This protection prevents the
@@ -330,7 +330,7 @@ low score is therefore not a definitive indication that the project is at risk.
 
 **Remediation steps**
 - Signup for automatic dependency updates with one of the previously listed dependency update tools and place the config file in the locations that are recommended by these tools. Due to https://github.com/dependabot/dependabot-core/issues/2804 Dependabot can be enabled for forks where security updates have ever been turned on so projects maintaining stable forks should evaluate whether this behavior is satisfactory before turning it on.
-- Unlike Dependabot, Renovate bot has support to migrate dockerfiles' dependencies from version pinning to hash pinning via the [pinDigests setting](https://docs.renovatebot.com/configuration-options/#pindigests) without aditional manual effort.
+- Unlike Dependabot, Renovate bot has support to migrate dockerfiles' dependencies from version pinning to hash pinning via the [pinDigests setting](https://docs.renovatebot.com/configuration-options/#pindigests) without additional manual effort.
 
 ## Fuzzing 
 

docs/checks/internal/checks.yaml

@@ -87,7 +87,7 @@ checks:
       - >-
         Unlike Dependabot, Renovate bot has support to migrate dockerfiles' dependencies from version pinning to hash pinning
         via the [pinDigests setting](https://docs.renovatebot.com/configuration-options/#pindigests) without
-        aditional manual effort.
+        additional manual effort.
   Binary-Artifacts:
     risk: High
     tags: supply-chain, security, dependencies
@@ -172,7 +172,7 @@ checks:
 
           - requiring two or more reviewers protects even more from the insider risk 
           whereby a compromised contributor can be used by an attacker to LGTM 
-          the attacker PR and inject a malicious code as if it was legitm.
+          the attacker PR and inject a malicious code as if it was legit.
 
         - Prevent force push: prevents use of the `--force` command on public
           branches, which overwrites code irrevocably. This protection prevents the

docs/faq.md

@@ -43,7 +43,7 @@ Most code scanning tools are focused on detecting specific vulnerabilities alrea
 
 ### Wasn't this project called "Scorecards" (plural)?
 
-Yes, kind of. The project was initially called "Security Scorecards" but that form wasn't used consistently. In particular, the repo was named "scorecard" and so was the program. Over time people started referring to either form (singular and plural) and the inconsitency became prevalent. To end this situation the decision was made to consolidate over the use of the singular form in keeping with the repo and program name, drop the "Security" part and use "OpenSSF" instead to ensure uniqueness. One should therefore refer to this project as "OpenSSF Scorecard" or "Scorecard" for short.
+Yes, kind of. The project was initially called "Security Scorecards" but that form wasn't used consistently. In particular, the repo was named "scorecard" and so was the program. Over time people started referring to either form (singular and plural) and the inconsistency became prevalent. To end this situation the decision was made to consolidate over the use of the singular form in keeping with the repo and program name, drop the "Security" part and use "OpenSSF" instead to ensure uniqueness. One should therefore refer to this project as "OpenSSF Scorecard" or "Scorecard" for short.
 
 ## Check-specific Questions
 
@@ -55,7 +55,7 @@ While it isn't currently possible to allowlist such binaries, the Scorecard team
 
 ### Code-Review: Can it ignore bot commits?
 
-This is quite a complex question. Right now, there is no way to do that. Here are some pros and cons on allowing users to set up an ignore-list for bots.
+This is quite a complex question. Right now, there is no way to do that. Here are some pros and cons of allowing users to set up an ignore-list for bots.
 
 - Pros: Some bots run very frequently; for some projects, reviewing every change is therefore not feasible or reasonable.
 - Cons: Bots can be compromised (their credentials can be compromised, for example). Or if commits are not signed, an attacker could easily send a commit spoofing the bot. This means that a bot having unsupervised write access to the repository could be a security risk.