Closed joycebrum closed 1 year ago
I've looked at https://api.securityscorecards.dev/projects/github.com/eliben/pycparser and ISTM that some of the criteria it uses are not a great fit for a project with essentially a single maintainer (e.g. "number of unreviewed commits", or "maintained" by counting recent changes). In general, maintaining a high score seems more work to appease an arbitrary metric than actually improve the security in the specific case of pycparser.
Thanks for the return eliben! Yeah, unfortunately some of these metrics are unfeasible to single maintainers.
Hi again,
I'd like to suggest a tool that might help on tracking supply-chain security practice improvements, which is the OpenSSF Scorecard Action
It proactively runs the Scorecard on the repository and warn you in case of any Security Practice that may have changed (example: a new workflow was created without top level permissions).
The action has been adopted by 1800+ projects, having some prominent users such as Tensorflow, Angular, Flutter, sos.dev and deps.dev.
Would you be interested in a PR which adds this Action? Optionally it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.
Example:
In case of doubts or concerns you can try to check Scorecards FAQ. Anyway, feel free to reach me out, I'll be happy to help or gather feedback.