- 
                Notifications
    You must be signed in to change notification settings 
- Fork 45
Description
I am writing to inquire if you are the administrator of the UTBotJava repository. If so, I would like to share some recommendations from the Scorecard tool on how to improve the security properties of your repository.
Scorecard is an automated tool that assesses the security risks of open-source projects through a series of checks. These checks cover three main themes: comprehensive security practices, source code risk assessment, and build process risk assessment. You can use it to run checks on your own code or other projects and obtain scores and risk levels for each check. Each check is scored between 0 and 10, with higher scores indicating higher security levels for open-source software. The overall score is the weighted average of each check's score, also ranging from 0 to 10.
Our evaluation has identified several areas where UTBotJava could benefit from enhancements:
Token-Permissions: It is recommended that the tokenpermissions setting in the workflows be limited to read-only access.
Branch-Protection: We suggest implementing thefollowing measures:
Require at least one reviewer forapproval before merging (administrators' requirements counttwice)
Administrators should require pull requests priorto making any code changes
Administrators should ensure the target branchis up-to-date before merging
Administrators should require approval of themost recent reviewable push
Enabling Dependabot in the repository can providewitnesses to potential vulnerabilities.
Opening CodeQL for scanning may identifyadditional issues.
Signed Releases can add an extra layer ofsafeguard against malicious interference.
A clear Security Policy and process forgathering and addressing vulnerability reportswould be beneficial.
Binary Artifacts present in theutbot-junit-contest/src/resources/projectsdirectory may pose a risk.
We believe these improvements will enhance the overallsecurity posture of the UTBotJava repository. Thank you for consideringour recommendations.
Best regards,
zoupanpan
Metadata
Metadata
Assignees
Labels
Type
Projects
Status