Skip to content

Commit

Permalink
📖 Update bestpractices links (#3448)
Browse files Browse the repository at this point in the history
Signed-off-by: Fred Gan <[email protected]>
  • Loading branch information
fredgan authored Sep 12, 2023
1 parent ac6ea11 commit 146f0eb
Show file tree
Hide file tree
Showing 6 changed files with 17 additions and 17 deletions.
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# OpenSSF Scorecard

[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard/badge)](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/5621/badge)](https://bestpractices.coreinfrastructure.org/projects/5621)
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/5621/badge)](https://www.bestpractices.dev/projects/5621)
![build](https://github.com/ossf/scorecard/workflows/build/badge.svg?branch=main)
![CodeQL](https://github.com/ossf/scorecard/workflows/CodeQL/badge.svg?branch=main)
[![Go Reference](https://pkg.go.dev/badge/github.com/ossf/scorecard/v4.svg)](https://pkg.go.dev/github.com/ossf/scorecard/v4)
Expand Down Expand Up @@ -472,7 +472,7 @@ Name | Description | Risk Level | Token Req
[Binary-Artifacts](docs/checks.md#binary-artifacts) | Is the project free of checked-in binaries? | High | PAT, GITHUB_TOKEN | Supported |
[Branch-Protection](docs/checks.md#branch-protection) | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches) ? | High | PAT (`repo` or `repo> public_repo`), GITHUB_TOKEN | Supported (see notes) | certain settings are only supported with a maintainer PAT
[CI-Tests](docs/checks.md#ci-tests) | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)? | Low | PAT, GITHUB_TOKEN | Supported
[CII-Best-Practices](docs/checks.md#cii-best-practices) | Has the project earned an [OpenSSF (formerly CII) Best Practices Badge](https://bestpractices.coreinfrastructure.org) at the passing, silver, or gold level? | Low | PAT, GITHUB_TOKEN | Validating |
[CII-Best-Practices](docs/checks.md#cii-best-practices) | Has the project earned an [OpenSSF (formerly CII) Best Practices Badge](https://www.bestpractices.dev) at the passing, silver, or gold level? | Low | PAT, GITHUB_TOKEN | Validating |
[Code-Review](docs/checks.md#code-review) | Does the project practice code review before code is merged? | High | PAT, GITHUB_TOKEN | Validating |
[Contributors](docs/checks.md#contributors) | Does the project have contributors from at least two different organizations? | Low | PAT, GITHUB_TOKEN | Validating |
[Dangerous-Workflow](docs/checks.md#dangerous-workflow) | Does the project avoid dangerous coding patterns in GitHub Action workflows? | Critical | PAT, GITHUB_TOKEN | Unsupported |
Expand Down
2 changes: 1 addition & 1 deletion clients/cii_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ const (
)

// BadgeLevel corresponds to CII-Best-Practices badge levels.
// https://bestpractices.coreinfrastructure.org/en
// https://www.bestpractices.dev/en
type BadgeLevel uint

// String returns a string value for BadgeLevel enum.
Expand Down
2 changes: 1 addition & 1 deletion clients/cii_http_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ func (transport *expBackoffTransport) RoundTrip(req *http.Request) (*http.Respon
// GetBadgeLevel implements CIIBestPracticesClient.GetBadgeLevel.
func (client *httpClientCIIBestPractices) GetBadgeLevel(ctx context.Context, uri string) (BadgeLevel, error) {
repoURI := fmt.Sprintf("https://%s", uri)
url := fmt.Sprintf("https://bestpractices.coreinfrastructure.org/projects.json?url=%s", repoURI)
url := fmt.Sprintf("https://www.bestpractices.dev/projects.json?url=%s", repoURI)
req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
if err != nil {
return Unknown, fmt.Errorf("error during http.NewRequestWithContext: %w", err)
Expand Down
2 changes: 1 addition & 1 deletion cron/internal/cii/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ import (
"github.com/ossf/scorecard/v4/cron/data"
)

const ciiBaseURL = "https://bestpractices.coreinfrastructure.org/projects.json"
const ciiBaseURL = "https://www.bestpractices.dev/projects.json"

type ciiPageResp struct {
RepoURL string `json:"repo_url"`
Expand Down
12 changes: 6 additions & 6 deletions docs/checks.md
Original file line number Diff line number Diff line change
Expand Up @@ -165,25 +165,25 @@ If a project's system was not detected and you think it should be, please

Risk: `Low` (possibly not following security best practices)

This check determines whether the project has earned an [OpenSSF (formerly CII) Best Practices Badge](https://bestpractices.coreinfrastructure.org/) at the passing, silver, or gold level.
This check determines whether the project has earned an [OpenSSF (formerly CII) Best Practices Badge](https://www.bestpractices.dev/) at the passing, silver, or gold level.
The OpenSSF Best Practices badge indicates whether or not that the project uses a set of security-focused best development practices for open
source software. The check uses the URL for the Git repo and the OpenSSF Best Practices badge API.

The OpenSSF Best Practices badge has 3 tiers: passing, silver, and gold. We give
full credit to projects that meet the [gold criteria](https://bestpractices.coreinfrastructure.org/criteria/2), which is a significant achievement for projects and requires multiple developers in the project.
full credit to projects that meet the [gold criteria](https://www.bestpractices.dev/criteria/2), which is a significant achievement for projects and requires multiple developers in the project.
Lower scores represent a project that has met the silver criteria, met the passing criteria, or is working to achieve the passing badge, with increasingly more points awarded as more criteria are met. Note that even meeting the passing criteria is a significant achievement.

- [gold badge](https://bestpractices.coreinfrastructure.org/criteria/2): 10
- [silver badge](https://bestpractices.coreinfrastructure.org/criteria/1): 7
- [passing badge](https://bestpractices.coreinfrastructure.org/criteria/0): 5
- [gold badge](https://www.bestpractices.dev/criteria/2): 10
- [silver badge](https://www.bestpractices.dev/criteria/1): 7
- [passing badge](https://www.bestpractices.dev/criteria/0): 5
- in progress badge: 2

Some of these criteria overlap with other Scorecard checks.
However, note that in those overlapping cases, Scorecard can only report what it can automatically detect, while the OpenSSF Best Practices badge can report on claims and claim justifications from people (this counters false negatives and positives but has the challenge of requiring additional work from people).


**Remediation steps**
- Sign up for the [OpenSSF Best Practices program](https://bestpractices.coreinfrastructure.org/).
- Sign up for the [OpenSSF Best Practices program](https://www.bestpractices.dev/).

## Code-Review

Expand Down
12 changes: 6 additions & 6 deletions docs/checks/internal/checks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -263,24 +263,24 @@ checks:
description: |
Risk: `Low` (possibly not following security best practices)
This check determines whether the project has earned an [OpenSSF (formerly CII) Best Practices Badge](https://bestpractices.coreinfrastructure.org/) at the passing, silver, or gold level.
This check determines whether the project has earned an [OpenSSF (formerly CII) Best Practices Badge](https://www.bestpractices.dev/) at the passing, silver, or gold level.
The OpenSSF Best Practices badge indicates whether or not that the project uses a set of security-focused best development practices for open
source software. The check uses the URL for the Git repo and the OpenSSF Best Practices badge API.
The OpenSSF Best Practices badge has 3 tiers: passing, silver, and gold. We give
full credit to projects that meet the [gold criteria](https://bestpractices.coreinfrastructure.org/criteria/2), which is a significant achievement for projects and requires multiple developers in the project.
full credit to projects that meet the [gold criteria](https://www.bestpractices.dev/criteria/2), which is a significant achievement for projects and requires multiple developers in the project.
Lower scores represent a project that has met the silver criteria, met the passing criteria, or is working to achieve the passing badge, with increasingly more points awarded as more criteria are met. Note that even meeting the passing criteria is a significant achievement.
- [gold badge](https://bestpractices.coreinfrastructure.org/criteria/2): 10
- [silver badge](https://bestpractices.coreinfrastructure.org/criteria/1): 7
- [passing badge](https://bestpractices.coreinfrastructure.org/criteria/0): 5
- [gold badge](https://www.bestpractices.dev/criteria/2): 10
- [silver badge](https://www.bestpractices.dev/criteria/1): 7
- [passing badge](https://www.bestpractices.dev/criteria/0): 5
- in progress badge: 2
Some of these criteria overlap with other Scorecard checks.
However, note that in those overlapping cases, Scorecard can only report what it can automatically detect, while the OpenSSF Best Practices badge can report on claims and claim justifications from people (this counters false negatives and positives but has the challenge of requiring additional work from people).
remediation:
- >-
Sign up for the [OpenSSF Best Practices program](https://bestpractices.coreinfrastructure.org/).
Sign up for the [OpenSSF Best Practices program](https://www.bestpractices.dev/).
Code-Review:
risk: High
tags: supply-chain, security, source-code, code-reviews
Expand Down

0 comments on commit 146f0eb

Please sign in to comment.