P-SSCRM Documentation

OSSF-Scorecard OpenSSF Scorecard metrics

Source Document: https://github.com/ossf/scorecard/blob/main/docs/checks.md

OSSF-Scorecard - P-SSCRM mapping

signed-release licenses P.1.2 Software release integrity
binary-artifacts contributors maintained P.3.1 Component and container choice
code-review P.4.1 Security code review
sast fuzzing P.4.2 Automated security scanning tools
ci-tests P.4.4 Executable security testing
dependency-update-tool P.5.2 Dependency update
branch-protection E.1.5 Branch protection
pinned-dependencies E.2.2 Verify dependencies and environment
dangerous-workflow token-permissions pinned-dependencies E.2.4 CI/CD hosting and automation
packaging E.2.7 Build output
vulnerabilities D.1.2 Risk-based vulnerability remediation
security-policy D.1.3 Vulnerability disclosure