-
## Time
**UTC Thu 28-Sep-2023 14:00 (02:00 PM)**:
| Timezone | Date/Time |
|---------------|-----------------------|
| US / Pacific | Thu 28-Sep-2023 07:00 (07:00 AM) |
| US / Mou…
-
Currently, the only projects with contributor ladders are [Sigstore](https://github.com/sigstore/community/blob/main/MEMBERSHIP.md) and [AllStar](https://github.com/ossf/allstar/blob/main/contributor-…
-
Set minimum permissions to workflows helps keep the workflows more safe against supply-chain attacks. GitHub gives [higher permissions to workflows by default](https://docs.github.com/en/actions/secur…
-
## Description
I would like to suggest another security practice recommended by the [OpenSSF Scorecard][scorecard-repo] which is to hash pin dependencies to prevent tag renaming attacks and that al…
-
Hi!
I'm Diogo and I work on Google's Open Source Security Team([GOSST](https://github.com/diogoteles08#about-gosst-ghost)) in cooperation with the Open Source Security Foundation ([OpenSSF](https:/…
-
This (great and super useful) project has a scorecard of 3.1/10 at this time. There are straight forward steps to move the needle up.
https://deps.dev/npm/%40vendia%2Fserverless-express
Some of…
-
Hi I'm Joyce from Google and I'm working on helping many open source projects on improving their supply chain security posture.
## Description
I would like to suggest a security practice recomme…
-
### Would you like to work on this feature?
- [X] Check this if you would like to implement a PR, we are more than happy to help you go through the process.
### What problem are you trying to solve?…
-
The OpenSSF Scorecards project now has an [API](https://api.securityscorecards.dev/). Needs some discussion of how best to add Scorecard data to an SBOM.
Some conversation in the context of Cyclone…
-
Clicking on a OpenSSF scorecard (a.k.a deps-dev) link of a scoped npm package (for example: `@angular/cli`) leads o a "package not found" page.
**Steps to reproduce:**
1. Visit StackOverflow and…