-
Notifications
You must be signed in to change notification settings - Fork 460
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: Security policy at the organization level is not picked up #2552
Comments
I'm seeing this output here:
It's picking up the file, and scoring it a 9/10. The message in your SARIF output is talking about the missing 1/10 due to a heuristic introduced in #2195 which is looking for:
The easiest fix would be to tweak your security policy to satisfy the heuristic. For example:
The other option is to discuss relax/remove the heuristic, which was brought up in #2195, but was left in at the time. |
Ah, that is indeed extra information that I missed when looking at the alert, because of the text rendering in the alerts it's rather hidden at the bottom. That will be improved by #125 so that will definitely help. The rest was me not reading the whole text :-). Closing this, as it will be improved. |
Describe the bug
Security policy at the organization level is not picked up. I have one on the org level here, but in my repository I have an alert that there is no security policy.
From the changes described in this PR I would expect that the org level setup would also be taken into account.
Expected behavior
The check should also validate the org level configuration.
Additional context
Using the ossf/scorecard-action for running the checks.
The text was updated successfully, but these errors were encountered: