Note that LGTM service is deprecated. (ossf#2339)

Signed-off-by: Bill Nottingham <notting@tidelift.com> Signed-off-by: Bill Nottingham <notting@tidelift.com>
raghavkaul · Feb 9, 2023 · 546da54 · 546da54
1 parent 129e0f0
commit 546da54
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -450,7 +450,7 @@ Name        | Description                               | Risk Level | Token Req
 [Maintained](docs/checks.md#maintained)                         | Is the project at least 90 days old, and maintained?                                                                                                                                                                                                                                                                                                   | High | PAT, GITHUB_TOKEN   |
 [Pinned-Dependencies](docs/checks.md#pinned-dependencies)       | Does the project declare and pin [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)?                                                                                                                     | Medium | PAT, GITHUB_TOKEN   |
 [Packaging](docs/checks.md#packaging)                           | Does the project build and publish official packages from CI/CD, e.g. [GitHub Publishing](https://docs.github.com/en/free-pro-team@latest/actions/guides/about-packaging-with-github-actions#workflows-for-publishing-packages) ?                                                                                            | Medium | PAT, GITHUB_TOKEN   |
-[SAST](docs/checks.md#sast)                                     | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [LGTM](https://lgtm.com), [SonarCloud](https://sonarcloud.io)? | Medium | PAT, GITHUB_TOKEN   |
+[SAST](docs/checks.md#sast)                                     | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [LGTM (deprecated)](https://lgtm.com), [SonarCloud](https://sonarcloud.io)? | Medium | PAT, GITHUB_TOKEN   |
 [Security-Policy](docs/checks.md#security-policy)               | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)?                                                                                                                                          | Medium | PAT, GITHUB_TOKEN   |
 [Signed-Releases](docs/checks.md#signed-releases)               | Does the project cryptographically [sign releases](https://wiki.debian.org/Creating%20signed%20GitHub%20releases)?                                                                                                                                                                                                           | High | PAT, GITHUB_TOKEN   |
 [Token-Permissions](docs/checks.md#token-permissions)           | Does the project declare GitHub workflow tokens as [read only](https://docs.github.com/en/actions/reference/authentication-in-a-workflow)?                                                                                                                                                                                   | High | PAT, GITHUB_TOKEN   |

diff --git a/docs/checks.md b/docs/checks.md
@@ -496,10 +496,10 @@ tools can prevent known classes of bugs from being inadvertently introduced in t
 codebase.
 
 The checks currently looks for known Github apps such as
-[CodeQL](https://codeql.github.com/) (github-code-scanning),
-[LGTM](https://lgtm.com/) and
+[CodeQL](https://codeql.github.com/) (github-code-scanning) or
 [SonarCloud](https://sonarcloud.io/) in the recent (~30) merged PRs, or the use
-of "github/codeql-action" in a GitHub workflow.
+of "github/codeql-action" in a GitHub workflow. It also checks for the deprecated
+[LGTM](https://lgtm.com/) service until its forthcoming shutdown.
 
 Note: A project that fulfills this criterion with other tools may still receive
 a low score on this test. There are many ways to implement SAST, and it is

diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml
@@ -527,10 +527,10 @@ checks:
       codebase.
 
       The checks currently looks for known Github apps such as
-      [CodeQL](https://codeql.github.com/) (github-code-scanning),
-      [LGTM](https://lgtm.com/) and
+      [CodeQL](https://codeql.github.com/) (github-code-scanning) or
       [SonarCloud](https://sonarcloud.io/) in the recent (~30) merged PRs, or the use
-      of "github/codeql-action" in a GitHub workflow.
+      of "github/codeql-action" in a GitHub workflow. It also checks for the deprecated
+      [LGTM](https://lgtm.com/) service until its forthcoming shutdown.
 
       Note: A project that fulfills this criterion with other tools may still receive
       a low score on this test. There are many ways to implement SAST, and it is