Add OSSF Scorecard GH Action and badge to README

Question

Add OSSF Scorecard GH Action and badge to README

CyrilBaah opened this issue 3 months ago · 2 comments

Improvement Area:
Add OpenSSF Scorecard GitHub Action to automatically evaluate the security and best practices of the repository.
Reasons:
Integrating the OSSF Scorecard will help identify vulnerabilities, improve the code's security posture, and increase transparency for contributors and users.
Benefits
to help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe.

Answer 1 · 2024-10-04T22:52:01.000Z

We don't necessarily need to run it ourselves in GitHub Actions, because it's already being run by scorecard.dev. Here's crystal's scorecard: https://scorecard.dev/viewer/?uri=github.com/crystal-lang/crystal. However, running it ourselves would allow us to remove specific checks, such as fuzzing (since there is no fuzzing tool for crystal).

Answer 2 · 2024-10-04T23:24:25.000Z

Ok, We can add an OpenSSF Scorecard badge to our README to showcase our project's security and compliance with open-source best practices. It provides real-time insight into the repository’s health and commitment to security like this