github-actions[bot]
commented
12 months ago This issue has been automatically marked as stale because it has not had recent activity. The resources of the Hugo team are limited, and so we are asking for your help.
If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open.
If this is a feature request, and you feel that it is still relevant and valuable, please tell us why.
This issue will automatically be closed in the near future if no further activity occurs. Thank you for all your contributions.
Hello, I'm working on behalf of Google and the Open Source Security Foundation to help essential open-source projects improve their supply-chain security. Given the relevance of HUGO on the web development context, the OpenSSF has identified it as one of the 100 most critical open source projects.
Would you consider adopting an OpenSSF tool called Scorecards? Scorecards runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, in partnership with GitHub.
To simplify maintainers' lives, the OpenSSF has also developed the Scorecard GitHub Action. It is very lightweight and runs on every change to the repository's main branch. The results of its checks are available on the project's security dashboard, and include suggestions on how to solve any issues (see examples below). The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already.
The HUGO project already has achieved an amazing score, which means it is in the top 7% of the projects. Congratulations! As expected, HUGO project already follow 100% of some of the security criterias, such as Binary-Artifacts, Dangerous-Workflow, Fuzzing, Security-Policy, and some others.
But there are still some criterias that represents security risks for the project that could be solved in a way to improve the repository's overall security. The Scorecard Github Action will help you on tracking those risks and properly solving them.
Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README, which is a good way to show your commitment to follow the best security practices, to encourage new adopters of Scorecards and, consequently, help raise the collective level of open source security.