Keno
commented
1 year ago I'm not opposed to this, but I am somewhat worried about the practical details of putting up the scorecard number. The checks seem generally useful, but some of the checks are not applicable to us or are unlikely to be detected by an automated tool (for example, we run custom static analysis over our source code, but there isn't really a way for the tool to know that). Some of the others are just not particularly applicable. For example, we could enable dependabot, but it wouldn't do anything. Is there a way to configure which checks to run? I understand that the badge might not be applicable, but I think the checks are more useful than the badge-signaling. Once you put up a badge, people will just start endlessly arguing about it.
joycebrum
Hi, I am Joyce and I'm working on behalf of Google and the Open Source Security Foundation (OpenSSF) to help essential open-source projects improve their supply-chain security.
I would like to suggest the adoption of an OpenSSF, in partnership with GitHub, tool called Scorecard. It runs dozens of automated security checks to help maintainer to better understand their project's supply-chain security posture.
To make it easier to use the Scorecard, the OpenSSF has also developed the Scorecard Github Action, which runs the scorecard checks on every push on the main branch and make the result avaiable in the security dashboard, also with proposed solutions (see examples below).
Although the Julia project already scored a great score on the security checks, there are some checks that would be interesting to work on and also the action would help to guarantee that the already followed ones would still be followed.
Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.
In case of doubts or concerns you can try to check Scorecards FAQ. Anyway, feel free to reach me out.