-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: SAST is calculated incorrectly #1231
Comments
Scorecard does its analysis by downloading the repo's tarball. brotli uses a This is unfortunately a known issue (ossf/scorecard#2489 (comment)), and some of the alternatives (e.g |
Thanks for pointing me to that. But for me it looks like a different problem. |
My mistake, we recently changed how we look for the workflow file, so I had assumed that was it. In terms of detecting it on all commits, I see this when running Scorecard
The offending PRs seem to be empty PRs from Copybara:
For each of the last 30 commits, Scorecard looks at the associated PR and then the last commit in that PR to look for the SAST tool. So the current logic doesn't count direct pushes to main, but rather that a SAST tool is run on a PR before merging. There has been some discussion on that here ossf/scorecard#1580 |
Context: https://github.com/google/brotli/security/code-scanning/4
Quick view on actions panel reveals that report is not true: https://github.com/google/brotli/actions/workflows/codeql.yml?query=branch%3Amaster
The text was updated successfully, but these errors were encountered: