diff --git a/README.md b/README.md index c5b886ca3ad7..b43d91cf1a68 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # OpenSSF Scorecard [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard/badge)](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard) -[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/5621/badge)](https://bestpractices.coreinfrastructure.org/projects/5621) +[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/5621/badge)](https://www.bestpractices.dev/projects/5621) ![build](https://github.com/ossf/scorecard/workflows/build/badge.svg?branch=main) ![CodeQL](https://github.com/ossf/scorecard/workflows/CodeQL/badge.svg?branch=main) [![Go Reference](https://pkg.go.dev/badge/github.com/ossf/scorecard/v4.svg)](https://pkg.go.dev/github.com/ossf/scorecard/v4) @@ -472,7 +472,7 @@ Name | Description | Risk Level | Token Req [Binary-Artifacts](docs/checks.md#binary-artifacts) | Is the project free of checked-in binaries? | High | PAT, GITHUB_TOKEN | Supported | [Branch-Protection](docs/checks.md#branch-protection) | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches) ? | High | PAT (`repo` or `repo> public_repo`), GITHUB_TOKEN | Supported (see notes) | certain settings are only supported with a maintainer PAT [CI-Tests](docs/checks.md#ci-tests) | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)? | Low | PAT, GITHUB_TOKEN | Supported -[CII-Best-Practices](docs/checks.md#cii-best-practices) | Has the project earned an [OpenSSF (formerly CII) Best Practices Badge](https://bestpractices.coreinfrastructure.org) at the passing, silver, or gold level? | Low | PAT, GITHUB_TOKEN | Validating | +[CII-Best-Practices](docs/checks.md#cii-best-practices) | Has the project earned an [OpenSSF (formerly CII) Best Practices Badge](https://www.bestpractices.dev) at the passing, silver, or gold level? | Low | PAT, GITHUB_TOKEN | Validating | [Code-Review](docs/checks.md#code-review) | Does the project practice code review before code is merged? | High | PAT, GITHUB_TOKEN | Validating | [Contributors](docs/checks.md#contributors) | Does the project have contributors from at least two different organizations? | Low | PAT, GITHUB_TOKEN | Validating | [Dangerous-Workflow](docs/checks.md#dangerous-workflow) | Does the project avoid dangerous coding patterns in GitHub Action workflows? | Critical | PAT, GITHUB_TOKEN | Unsupported | diff --git a/clients/cii_client.go b/clients/cii_client.go index c0f407eeaf67..61f5bc969d38 100644 --- a/clients/cii_client.go +++ b/clients/cii_client.go @@ -34,7 +34,7 @@ const ( ) // BadgeLevel corresponds to CII-Best-Practices badge levels. -// https://bestpractices.coreinfrastructure.org/en +// https://www.bestpractices.dev/en type BadgeLevel uint // String returns a string value for BadgeLevel enum. diff --git a/clients/cii_http_client.go b/clients/cii_http_client.go index 3500f63d9d21..4de7532710e3 100644 --- a/clients/cii_http_client.go +++ b/clients/cii_http_client.go @@ -49,7 +49,7 @@ func (transport *expBackoffTransport) RoundTrip(req *http.Request) (*http.Respon // GetBadgeLevel implements CIIBestPracticesClient.GetBadgeLevel. func (client *httpClientCIIBestPractices) GetBadgeLevel(ctx context.Context, uri string) (BadgeLevel, error) { repoURI := fmt.Sprintf("https://%s", uri) - url := fmt.Sprintf("https://bestpractices.coreinfrastructure.org/projects.json?url=%s", repoURI) + url := fmt.Sprintf("https://www.bestpractices.dev/projects.json?url=%s", repoURI) req, err := http.NewRequestWithContext(ctx, "GET", url, nil) if err != nil { return Unknown, fmt.Errorf("error during http.NewRequestWithContext: %w", err) diff --git a/cron/internal/cii/main.go b/cron/internal/cii/main.go index 53cea8a3accf..fa8616606dac 100644 --- a/cron/internal/cii/main.go +++ b/cron/internal/cii/main.go @@ -29,7 +29,7 @@ import ( "github.com/ossf/scorecard/v4/cron/data" ) -const ciiBaseURL = "https://bestpractices.coreinfrastructure.org/projects.json" +const ciiBaseURL = "https://www.bestpractices.dev/projects.json" type ciiPageResp struct { RepoURL string `json:"repo_url"` diff --git a/docs/checks.md b/docs/checks.md index 8f7d5c026d06..ed52b0c96f33 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -165,17 +165,17 @@ If a project's system was not detected and you think it should be, please Risk: `Low` (possibly not following security best practices) -This check determines whether the project has earned an [OpenSSF (formerly CII) Best Practices Badge](https://bestpractices.coreinfrastructure.org/) at the passing, silver, or gold level. +This check determines whether the project has earned an [OpenSSF (formerly CII) Best Practices Badge](https://www.bestpractices.dev/) at the passing, silver, or gold level. The OpenSSF Best Practices badge indicates whether or not that the project uses a set of security-focused best development practices for open source software. The check uses the URL for the Git repo and the OpenSSF Best Practices badge API. The OpenSSF Best Practices badge has 3 tiers: passing, silver, and gold. We give -full credit to projects that meet the [gold criteria](https://bestpractices.coreinfrastructure.org/criteria/2), which is a significant achievement for projects and requires multiple developers in the project. +full credit to projects that meet the [gold criteria](https://www.bestpractices.dev/criteria/2), which is a significant achievement for projects and requires multiple developers in the project. Lower scores represent a project that has met the silver criteria, met the passing criteria, or is working to achieve the passing badge, with increasingly more points awarded as more criteria are met. Note that even meeting the passing criteria is a significant achievement. -- [gold badge](https://bestpractices.coreinfrastructure.org/criteria/2): 10 -- [silver badge](https://bestpractices.coreinfrastructure.org/criteria/1): 7 -- [passing badge](https://bestpractices.coreinfrastructure.org/criteria/0): 5 +- [gold badge](https://www.bestpractices.dev/criteria/2): 10 +- [silver badge](https://www.bestpractices.dev/criteria/1): 7 +- [passing badge](https://www.bestpractices.dev/criteria/0): 5 - in progress badge: 2 Some of these criteria overlap with other Scorecard checks. @@ -183,7 +183,7 @@ However, note that in those overlapping cases, Scorecard can only report what it **Remediation steps** -- Sign up for the [OpenSSF Best Practices program](https://bestpractices.coreinfrastructure.org/). +- Sign up for the [OpenSSF Best Practices program](https://www.bestpractices.dev/). ## Code-Review diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index 6151c64f5166..2d2fd8891869 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -263,24 +263,24 @@ checks: description: | Risk: `Low` (possibly not following security best practices) - This check determines whether the project has earned an [OpenSSF (formerly CII) Best Practices Badge](https://bestpractices.coreinfrastructure.org/) at the passing, silver, or gold level. + This check determines whether the project has earned an [OpenSSF (formerly CII) Best Practices Badge](https://www.bestpractices.dev/) at the passing, silver, or gold level. The OpenSSF Best Practices badge indicates whether or not that the project uses a set of security-focused best development practices for open source software. The check uses the URL for the Git repo and the OpenSSF Best Practices badge API. The OpenSSF Best Practices badge has 3 tiers: passing, silver, and gold. We give - full credit to projects that meet the [gold criteria](https://bestpractices.coreinfrastructure.org/criteria/2), which is a significant achievement for projects and requires multiple developers in the project. + full credit to projects that meet the [gold criteria](https://www.bestpractices.dev/criteria/2), which is a significant achievement for projects and requires multiple developers in the project. Lower scores represent a project that has met the silver criteria, met the passing criteria, or is working to achieve the passing badge, with increasingly more points awarded as more criteria are met. Note that even meeting the passing criteria is a significant achievement. - - [gold badge](https://bestpractices.coreinfrastructure.org/criteria/2): 10 - - [silver badge](https://bestpractices.coreinfrastructure.org/criteria/1): 7 - - [passing badge](https://bestpractices.coreinfrastructure.org/criteria/0): 5 + - [gold badge](https://www.bestpractices.dev/criteria/2): 10 + - [silver badge](https://www.bestpractices.dev/criteria/1): 7 + - [passing badge](https://www.bestpractices.dev/criteria/0): 5 - in progress badge: 2 Some of these criteria overlap with other Scorecard checks. However, note that in those overlapping cases, Scorecard can only report what it can automatically detect, while the OpenSSF Best Practices badge can report on claims and claim justifications from people (this counters false negatives and positives but has the challenge of requiring additional work from people). remediation: - >- - Sign up for the [OpenSSF Best Practices program](https://bestpractices.coreinfrastructure.org/). + Sign up for the [OpenSSF Best Practices program](https://www.bestpractices.dev/). Code-Review: risk: High tags: supply-chain, security, source-code, code-reviews