fix

checks/permissions.go

@@ -248,7 +248,7 @@ func calculateScore(result permissionCbData) int {
 	// Start with a perfect score.
 	score := float32(checker.MaxResultScore)
 
-	// If not top level permissions are defined...
+	// If no top level permissions are defined...
 	if permissionIsPresentInTopLevel(result, "all") {
 		switch permissionIsPresentInRunLevel(result, "all") {
 		case true:

docs/checks.md

@@ -330,6 +330,31 @@ is therefore not a definitive indication that the project is at risk.
 **Remediation steps**
 - Integrate the project with OSS-Fuzz by following the instructions [here](https://google.github.io/oss-fuzz/).
 
+## LicenseCheck 
+
+Risk: `Low` (possible impediment to security review)
+
+This check tries to determine if the project has published a license. It
+works by checking standard locations for a file named according to common
+conventions for licenses.
+
+A license can give users information about how the source code may or may
+not be used. The lack of a license will impede any kind of security review
+or audit and creates a legal risk for potential users.
+
+This check will detect files in the top-level directory with any combination
+of the following names and extensions:`LICENSE`, `LICENCE`, `COPYING`,
+`COPYRIGHT` and .html, .txt, .md. It will also detect these files in a
+directory named `LICENSES`. (Files in a `LICENSES` directory are typically
+named as their [SPDX](https://spdx.org/licenses/) license identifier followed
+by an appropriate file extension, as described in the [REUSE](https://reuse.software/spec/) Specification.)
+
+
+**Remediation steps**
+- Determine [which license](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository) to apply to your project.
+- Create the license in a .txt, .html, or .md file named LICENSE or COPYING, and place it in the top-level directory.
+- Alternately, create a `LICENSE` directory and add license files with a name that matches your [SPDX license identifier](https://spdx.dev/ids/).
+
 ## Maintained 
 
 Risk: `High` (possibly unpatched vulnerabilities)
@@ -547,6 +572,9 @@ yaml file are set as read-only at the
 [top level](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions)
 and the required write permissions are declared at the
 [run-level](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions).
+One point is reduced from the score if all jobs have their permissions defined but the top level permissions are not. The reasoning
+is that even though this configuration is secure, there is a chance that when a new job is added to the workflow,
+job permissions are not defined because of human error.
 
 The check cannot detect if the "read-only" GitHub permission setting is
 enabled, as there is no API available.   

docs/checks/internal/checks.yaml

@@ -632,9 +632,9 @@ checks:
       [top level](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions)
       and the required write permissions are declared at the
       [run-level](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions).
-      A score of 9 is awarded if all jobs have their permissions defined but the top level permissions are not. The reasoning
+      One point is reduced from the score if all jobs have their permissions defined but the top level permissions are not. The reasoning
       is that even though this configuration is secure, there is a chance that when a new job is added to the workflow,
-      permissions are not defined because of human error.
+      job permissions are not defined because of human error.
               
       The check cannot detect if the "read-only" GitHub permission setting is
       enabled, as there is no API available.