Increasing scorecard's score

[pavlofilatov1]

In my company we use scorecard to evaluate a security score of a nuget package. That score is considered during the security review. Current score of RabbitMQ .net client is 6.9. We would like to increase that score a bit. On our side we identified two potential topics where we can improve that score:

• token permissions - currently it is 0/10
• pinned dependencies currently there are no pinned dependencies so it is 0/10

While pinned dependencies is something that we can implement, the token permission topic is out of our control. We don't have permissions to manage tokens of course. Therefore I have a couple of questions:

• will owners/admins of the repo be interested in reviewing token permissions to increase that score?
• are pinned dependencies something that might be adopted by the repo? Or are there some objections for any reason?

[lukebakken]

will owners/admins of the repo be interested in reviewing token permissions to increase that score?

It looks like all that has to be done is to add the following to workflow yaml files:

permissions:
  contents: read

If so, feel free to open a PR.

are pinned dependencies something that might be adopted by the repo? Or are there some objections for any reason?

This project's policy is to use the version of the oldest supported dependency that has no security issues. If you search the issues and discussions here there already has been a lot of discussion on this topic.

[lukebakken]

#1880