Enable the OpenSSF Scorecard Action and Badge
joycebrum opened this issue · 0 comments
Hi, I am Joyce and I am working on behalf of Google and the OpenSSF to help essential open source projects to improve their supply-chain security. Considering how veged/coa has a solid role in many projects, the OpenSSF identified it as one of the 100 most critical open source project.
Would you consider adopting the OpenSSF Scorecard tool? It is very lightweight to run and do not interfer in any other workflow and PR process. It runs dozens of automated checks to help maintainers better understand their supply-chain security posture and improve it. The Scorecard is developed by the OpenSSF, in partnership with GitHub.
The coa project already follow some security best practices analyzed by the scorecard, but it still has some points to be worked on, such as CI-Tests, Dependency Update Tool, SAST, etc.
To help you to better track this improvements, the OpenSSF has also developed the Scorecard GitHub Action. It runs on every change to the repository's main branch and once a week. The results of its checks are available on the project's security dashboard, and include suggestions on how to solve any issues (see examples below). This Action has been adopted by 1800+ projects already, having some prominent users like Tensorflow, Angular, Flutter, [sos.dev][sos-dev] and [deps.dev][deps-dev]..
Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.
In case of doubts or concerns you can try to check Scoreacrds FAQ. Anyway, feel free to reach me out, I'll be here to help.