{"id":18508457,"url":"https://github.com/ossf/disclosure-check","last_synced_at":"2025-10-04T12:50:20.603Z","repository":{"id":173797055,"uuid":"647836812","full_name":"ossf/disclosure-check","owner":"ossf","description":"disclosure-check","archived":false,"fork":false,"pushed_at":"2024-06-24T18:55:48.000Z","size":257,"stargazers_count":3,"open_issues_count":16,"forks_count":0,"subscribers_count":15,"default_branch":"main","last_synced_at":"2024-11-06T15:14:23.421Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ossf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-05-31T16:12:01.000Z","updated_at":"2024-07-13T05:54:45.000Z","dependencies_parsed_at":null,"dependency_job_id":"b6ee361e-7b2d-4358-a650-3dbae75ce284","html_url":"https://github.com/ossf/disclosure-check","commit_stats":null,"previous_names":["ossf/disclosure-check"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fdisclosure-check","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fdisclosure-check/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fdisclosure-check/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fdisclosure-check/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ossf","download_url":"https://codeload.github.com/ossf/disclosure-check/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":231278795,"owners_count":18351930,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T15:14:25.465Z","updated_at":"2025-10-04T12:50:15.546Z","avatar_url":"https://github.com/ossf.png","language":"Python","funding_links":["https://tidelift.com","https://tidelift.com/docs/security"],"categories":[],"sub_categories":[],"readme":"[![Scorecard supply-chain security](https://github.com/ossf/disclosure-check/actions/workflows/scorecards.yml/badge.svg)](https://github.com/ossf/disclosure-check/actions/workflows/scorecards.yml)\n![PyPI](https://img.shields.io/pypi/v/disclosurecheck)\n\n# Disclosure Check\n\nDisclosure Check is a tool for identifying vulnerability disclosure mechanisms for open source projects.\n\n![disclosure-check](https://user-images.githubusercontent.com/732166/236118411-f69f85cf-d10a-45a7-b4cf-e9c6b4171788.gif)\n\n\u003e **Warning**\n\u003e This project is still in development and may not work correctly for many different projects. If you encounter a bug,\n\u003e please open an issue and we'll try our best to address it. Pull requests welcome!\n\n## Why the tool is needed\n\nMost open source projects use a public issuer tracker for inbound requests, bug reports, etc. Since this is inappropriate\nfor reporting new vulnerabilities, many projects have other mechanisms for users to submit sensitive reports.\n\nUnfortunately, there is no widely-used, machine-readable way to discover this for a given project. Instead, a human might\nneed to look for a SECURITY.md file (and read through it), review a README.md, check to see if a private vulnerability\nreporting mechanism is available through the source repository, check to see if an e-mail address is associated with the\npublished package, etc.\n\nThis is time consuming for one project, and far more so when done at scale.\n\nThe purpose of Disclosure Check is to automate what a human would do when trying to discover the best way to report\na vulnerability to a project. It's use is orthogonal to the goal of more standardized reporting mechanisms; if and when\nthe later becomes a reality, this tool will no longer be useful.\n\n## Installation\n\n### Requirements\n\nDisclosure Check is available through PyPI and Docker Hub. If you install through PyPI, you'll also need to install\n[OSS Gadget](https://github.com/Microsoft/OSSGadget), which is needed to download the package contents for analysis.\nEnsure that oss-download is in your path.\n\nYou'll also need a GitHub token to allow Disclosure Check to use the GitHub API for things like code search. The\ntoken does not require any special permissions, and the tool will run without it, albeit with degraded functionality.\n\n### PyPI\n\n#### Installing OSS Gadget\n\nRefer to the [OSS Gadget](https://github.com/Microsoft/OSSGadget) page for up to date installation instructions.\n\nYou can then install Disclosure Check from PyPI:\n\n```\npip install disclosurecheck\n```\n\nYou should always install packages like this in a virtual environment since installation will include other dependencies.\n\n### Docker\n\nYou can pull the latest Docker image from the GitHub Container Registry:\n\n```\ndocker pull ghcr.io/scovetta/disclosurecheck:latest\n```\n\n## Usage\n\nTo run Disclosure Check:\n\n```\ndisclosurecheck --help\n\nusage: OpenSSF Vulnerability Disclosure Mechanism Detector [-h] [--verbose] [--json] package_url\n\npositional arguments:\n  package_url  Package URL for the project/package you want to analyze.\n\noptions:\n  -h, --help   show this help message and exit\n  --verbose    Show extra logging.\n  --json       Output as JSON.\n ```\n\nOr if you're using the Docker image:\n\n```\ndocker run -e GITHUB_TOKEN=\u003cYOUR GITHUB TOKEN\u003e --rm -t ghcr.io/scovetta/disclosurecheck:latest pkg:npm/left-pad\n```\n\n## How it Works\n\nDisclosure Check works by looking for contact information (email, URLs, etc.) in the following places:\n- [x] Project metadata (using [libraries.io](https://libraries.io))\n- [x] Package contents (certain files like SECURITY.md, README.md, etc.)\n- [x] GitHub repository (via code search in certain files like SECURITY.md, including org-level \".github\" repositories)\n- [x] GitHub Private Vulnerability Reporting\n- [x] Coverage by [Tidelift]([https://tidelift.com](https://tidelift.com/docs/security))\n- [x] The [Internet Bug Bounty](https://www.hackerone.com/internet-bug-bounty)\n- [x] [Security Insights](https://github.com/ossf/security-insights-spec)\n- [x] Generic reporting mechanisms like [Snyk](https://snyk.io/vulnerability-disclosure/), [CERT](https://www.kb.cert.org/vuls/report/), and [Github Security Lab](https://securitylab.github.com/).\n- [x] Project-specific overrides for cases where we know the right reporting mechanism, but the information isn't visible to anything the tool could find.\n\nThe tool attempts to score these based on the priority (with 0 being the highest priority and 100 being the lowest).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fdisclosure-check","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fossf%2Fdisclosure-check","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fdisclosure-check/lists"}