Add check for OSPS-DO-03: repo contains end-user documentation #232
Conversation
evankanderson
force-pushed
the
osps-do-03
branch
from
5c9ea6a to
dade4e1
Compare
| * A `README.md` file containing preformatted text (triple-backtick) or the headings | ||
| "usage" or "getting started" | ||
|
|
||
| For more information, see [OpenSSF Security Baseline](https://baseline.openssf.org/#osps-do-03). |
There was a problem hiding this comment.
The guidance is not meant to describe the rule type itself, but instead, to indicate what to do in case of failure. This should be moved to the description and we should tell the user what to do in case this fails.
There was a problem hiding this comment.
Does that apply to the last sentence, or the whole current guidance?
There was a problem hiding this comment.
This while guidance felt more like a description
There was a problem hiding this comment.
Does this read better?
| version: v1 | ||
| release_phase: alpha | ||
| type: rule-type | ||
| name: osps-do-03 |
There was a problem hiding this comment.
nit: we usually name rules with underscores, but, honestly, I like it more this way as well.
There was a problem hiding this comment.
note: we decided to move rule types related to OSPS under security-baseline/rule-type, I can move this after merge as part of the work I'm doing.
Co-authored-by: Michelangelo Mori <[email protected]>
This is a proposed implementation of https://baseline.openssf.org/#osps-do-03
Ideally, remediation would include creating or updating SECURITY-INSIGHTS.md, but we don't quite have those capabilities yet. I've included a sample of what we are able to do at the moment, but we'd want to be able to feed the set of discovered documentation locations into the documentation field in security-insights if not set.