prisma-risk / tsoracle / 26467434073
95%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 88
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 95.148%. Remained the same
26467434073

push

github

web-flow 
chore(ci): harden OpenSSF scorecard signals (#502)

* chore(ci): harden OpenSSF scorecard signals

Drives Scorecard from 5.4 to ~8+ by closing the four checks at 0:

- Token-Permissions: add top-level `permissions: contents: read` to
  the four workflows that inherited the legacy permissive GITHUB_TOKEN
  (fuzz-nightly, fuzz-pr, leak-nightly, stress-nightly), and demote
  every write scope to the job that actually needs it (release-images
  `packages: write` on build-image/manifest/chart only;
  post-merge-followups `issues: write` on file-issues; the unused
  `pull-requests: write` is demoted to `read`).

- Security-Policy: add SECURITY.md documenting GitHub private
  advisory as the reporting channel, 24h ack / 30d disclosure SLA,
  and latest-0.x supported-versions policy.

- SAST: add CodeQL workflow for the Rust workspace (`security-extended`
  query suite, manual build mirroring CI's `cargo build --workspace
  --all-features --locked`) on every PR + push to main + weekly cron.

- Pinned-Dependencies: pin every `uses:` reference to a 40-char SHA
  (36 references across 10 workflows), consolidating
  `dtolnay/rust-toolchain@master|stable` onto one SHA with explicit
  `with: toolchain:` where the ref-name semantic was load-bearing;
  pin both `Dockerfile` FROMs to digests; add `docker`
  package-ecosystem to dependabot so the digest pins don't freeze.

Also fixes two pre-existing SC2086 shellcheck warnings on `exit \$EXIT`
in the fuzz workflows.

Remaining checks at 0 are structural and not addressable here:
Maintained (repo <90 days), Contributors (single org), Code-Review
(0/26 changesets had GitHub-reviewed approval), and CII-Best-Practices
(opt-in manual badge).

* fix(ci): remove duplicate CodeQL workflow

The workflow added in the previous commit was wrong on two counts:

1. CodeQL's Rust extractor does not support `build-mode: manual`. Rust
   analysis is extractor-based (parses sources directly via the
   rust-analyzer infrastructure) and o... (continued)

13296 of 13974 relevant lines covered (95.15%)

412930.32 hits per line

Jobs
ID Job ID Ran Files Coverage
1 26467434073.1 88
95.15
 GitHub Action Run
Source Files on build 26467434073