Enable the Scorecard Github Action and badge

[joycebrum]

Hi I am Joyce and I'm working on behalf of Google and the OpenSSF to help essential open-source projects improve their supply-chain security. The OpenSSF is a non-profit foundation backed by the Linux Foundation, dedicated to improving the security of the open-source community. It counts GitHub as a founding member.

What would you like to be added: I would like to suggest for you to use Scorecard Github Action to increase the security of your repository.

The Scorecard system combines dozens of automated checks to let maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, with direct support from GitHub.

However, the OpenSSF has also developed the Scorecard GitHub Action, which adds the results of its checks to the project's security dashboard, as well as suggestions on how to solve any issues (see examples on the "Additional context"). This Action has been adopted by 1600+ projects already.

Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.

Why is this needed:

Considering the relevance grype has on ensuring the security of many projects, it's been included in the OpenSSF's list of the 100 most critical open-source projects. Thus, the Scorecard Github Action adoption in this project would help you on the identification and the solution of security risks of the repository, which would increase the security of the project and garantee that it is (mostly) safe from malicious sabotage.

Additional context:

[adriens]

:eyes:

I had never heard about scorecard :grey_exclamation: Tanks a lot for having made me discover it :heavy_heart_exclamation: :pray:

[kzantow]

This is a great idea, definitely something we can look to do 👍