Does scorecard send info about my project somewhere? #3428
-
|
If I run scorecard on a private GitLab repo on a private GitLab server, does it send any information about my project elsewhere or will it just evaluate the project locally and share the results? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
I wouldn't think so. We capture metrics in |
Beta Was this translation helpful? Give feedback.
-
|
That's some great insight, thank you! |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
I wouldn't think so. We capture metrics in
checker/check_runner.gobut for basic CLI runs we don't set an exporter, so I don't think those go anywhere over a network. It's really just for metrics in the cron, which only scans public GitLab projects. In terms of side channel-y meanings of "send information," scorecard makes HTTP requests to the GitLab project's REST and GraphQL endpoints, from osv.dev (for the Vulnerabilities check) and from bestpractices.coreinfrastructure.org for the CII-Best-Practices check.