Adding OpenSSF scorecard to GeoNetwork

geonetwork / core-geonetwork

GeoNetwork is a catalog application to manage spatially referenced resources. It provides powerful metadata editing and search functions as well as an interactive web map viewer. It is currently used in numerous Spatial Data Infrastructure initiatives across the world.

http://geonetwork-opensource.org/

GNU General Public License v2.0

428 stars 489 forks source link

Adding OpenSSF scorecard to GeoNetwork #7824

Closed ticheler closed 8 months ago

ticheler commented 8 months ago

Discussed in https://github.com/orgs/geonetwork/discussions/7691

^{Originally posted by **ticheler** February 2, 2024} Hi all, especially core developers, Can I propose to add an Action to our repositories to do additional secruity testing? This is a practice that was promoted at the EU Open Source Policy Summit 2024 today as a way to improve software security. See https://securityscorecards.dev/ on how it works and how we can implement it. Let me know what you think. Cheers, Jeroen

ticheler commented 8 months ago

@geonetwork/project-steering-committee @jahow @jodygarnett this was the proposed scanning that I could not remember the name of during our last PSC meeting. Shall we set this up on the GeoNetwork project?

jahow commented 8 months ago

That tool looks very comprehensive and easy to set up, thanks for suggesting this. Is anyone already affected to this task? Otherwise I can ask around if someone at Camptocamp can do it.

ticheler commented 8 months ago

Thanks @jahow! I've installed it for geonetwork-core (it indeed was easy to install) and that seems to work well so far. I can do the same on other repositories once people feel comfortable about it. I'll close the issue now. If it requirews further work we can re-open it.