Proposed improvements to OpenSSF Scorecard
lucasgonze opened this issue · 2 comments
lucasgonze commented
To decide whether to use this package in the Magma project I checked it with deps.dev.
(See https://deps.dev/go/github.com%2Fwmnsk%2Fmilenage/v1.2.0). These changes would improve the results:
- project should require code review before pull requests (aka merge requests) are merged.
- acquire OpenSSF (formerly CII) Best Practices Badge.
- enable branch protection development/release branches
- pin all dependencies by hash. (some dependencies are pinned by hash, but not all).
- enable CodeQL in Github
- create security policy in Github
- implement fuzzing
I would be glad to help with these if you would like.
wmnsk commented
Great! Which can you help me with setting up?
lucasgonze commented
Ok. Can you add me as assignee?