scorecard --local . --show-details --format json | jq .
{
"date": "2023-02-22",
"repo": {
"name": "file://.",
"commit": "unknown"
},
"scorecard": {
Naveen naveensrinivasan
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM golang:1.23@sha256:60deed95d3888cc5e4d9ff8a10c54e5edc008c6ae3fba6187be6fb592e19e8c0 AS build | |
| WORKDIR /app | |
| # Build arguments for version info | |
| ARG OP_NODE_REPO=https://github.com/ethereum-optimism/optimism.git | |
| ARG OP_NODE_TAG=op-node/v1.14.1 | |
| ARG OP_NODE_COMMIT=c1081e3ad0004590435e3179e583cdfdbdd6bc61 | |
| RUN git clone $OP_NODE_REPO --branch $OP_NODE_TAG --single-branch . && \\ |
naveensrinivasan
/ asm.c
Last active
November 4, 2025 13:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "vmlinux.h" | |
| #include <bpf/bpf_helpers.h> | |
| #include <bpf/bpf_core_read.h> | |
| #define PATH_MAX 1024 | |
| struct path_key { | |
| char container_path[PATH_MAX]; // 1024 bytes | |
| char directory_path[PATH_MAX]; // 1024 bytes | |
| }; |
naveensrinivasan
/ gist:72ad68f78a6504a255a54a4cb81929bf
Created
May 17, 2025 00:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Securing the Node.js Supply Chain: A Practical Verification Approach | |
| ## The Problem | |
| Teams downloading Node.js binaries face a critical but often overlooked security vulnerability in their CI/CD pipelines. While checking file hashes (SHASUM) ensures integrity, this step alone doesn't guarantee authenticity—hackers can easily alter files and corresponding hashes if they compromise the distribution server. Without proper GPG verification, there's no guarantee that downloaded binaries truly originate from Node.js maintainers, potentially exposing your builds to malicious code. | |
| We've observed real-world incidents where compromised binaries bypassed security measures because teams neglected or disabled GPG verification, deeming traditional methods too cumbersome or disruptive, particularly during high-pressure releases. | |
| ## Why Traditional GPG Verification Fails in Modern CI/CD |
naveensrinivasan
/ test.go
Created
March 21, 2024 16:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package packager | |
| import ( | |
| "reflect" | |
| "testing" | |
| "github.com/defenseunicorns/zarf/src/types" | |
| ) | |
| type generateValuesOverridesTestCase struct { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| hello I am Jeff Mendoza software engineer at kusari and welcome to the guacademy video series this is the first video in the series and I'm here to introduce you to guac guac is an open source project licensed with the Apache License it is a tool that helps you understand your software supply chain it stands for it stands for graph for understanding artifact composition it's sort of a database or graph that you add supporting tools to as part of the project and it collects data and insight on your supply chain and then you can use it for Discovery in that supply chain so you might ask how does a graph help with the these supply chain questions so we'll look at some diagrams to show you first we'll start with some s-bombs or software bill of materials these s-bombs cover a single service package or deliverable and then includes the other software pieces that are in that package so you can then load all of those s-bombs into guac and you can see that you have well a bunch of disparate graphs here with the root |
naveensrinivasan
/ metrics.go
Created
September 21, 2023 22:05
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ObserveHistogram - Name: http_request_duration_seconds, Value: 0.000007, Labels: [handler:HelloWorldHandler code:200] | |
| ObserveHistogram - Name: http_request_duration_seconds, Value: 0.000006, Labels: [handler:HelloWorldHandler code:200] | |
| ObserveHistogram - Name: http_request_duration_seconds, Value: 0.000003, Labels: [handler:HelloWorldHandler code:200] |
naveensrinivasan
/ scorecard-blogpost.md
Created
February 16, 2023 23:06
Naveen Srinivasan https://github.com/naveensrinivasan
Have you ever thought about how to ensure that the open source software you're using is secure? It's easy to spend more time researching restaurant reviews than evaluating the security of a new open source dependency, but the consequences of not doing so can be far more serious. Software supply chain attacks are becoming increasingly common, and attackers are targeting vulnerabilities in dependencies early in the supply chain to amplify the impact of their attacks.
Dependency security is in the spotlight, as evidenced by a 742% average annual increase in software supply chain attacks over the past three years. As a result, consumers of open source software need to be informed about the projects they rely on to safeguard their own projects against the next major supply chain attack. Is it safe to use the dependencies
naveensrinivasan
/ naveensrinivasan.md
Last active
May 1, 2023 17:24
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| WITH top_repos AS ( | |
| SELECT | |
| REGEXP_REPLACE(repo.url, '^https://', '') as repo_name | |
| FROM | |
| `openssf.criticality_score_cron.criticality-score-v0` | |
| WHERE | |
| collection_date = ( | |
| SELECT | |
| MAX(collection_date) | |
| FROM |
NewerOlder