We recently applied and received the OpenSSF Best Practices badge. OpenSSF has another quality assurance offering that we might consider implementing, the OpenSSF Scorecard.
What is Scorecard?
We created Scorecard to help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe.
Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.
We recently applied and received the OpenSSF Best Practices badge. OpenSSF has another quality assurance offering that we might consider implementing, the OpenSSF Scorecard.
This checks against a number of different criteria. We can get a badge from the OpenSSF to show off the general health of the project. There is also a Github Action for the scorecard we could use.