No Binary Artifacts

Is the project free of checked-in binaries?

The project should not have generated executable (binary) artifacts in the source repository.

Reference: OSSF Scorecard - binary artifacts.

Including generated executables in the source repository increases user risk. Many programming language systems can generate executables from source code (e.g., C/C++ generated machine code, Java .class files, Python .pyc files, and minified JavaScript). Users will often directly use executables if they are included in the source repository, leading to many dangerous behaviors.

Problems with generated executable (binary) artifacts:

The checkpoint compliance fails when there is a single binary executable file in the source repository for the project.

Many language platforms directly run source code (using interpreters or just-in-time compilers): the source code is executable but reviewable, so it is not considered by this check. This includes shell scripts.

Generated source code, like parsers from parser-generation tools from a grammar specification, or annotated source code that is "transpiled" into generated code, is not considered "binary artifact". Generated source code could be more difficult to review than human-written code (some may argue that there are obfuscation-loving programmers out there), and it is recommended to have the tools for re-generating the code from the initial specification.

Generated documentation in source repositories is also ignored. Generated documentation is intended for use by humans (not computers) who can evaluate the context. Thus, generated documentation doesn’t pose the same level of risk.

Non-executable binary files, like images, videos, and other content, are not considered binary executables for this check.