I'd like to suggest a tool that might help on tracking supply-chain security practice improvements, which is the OpenSSF Scorecard Action
It proactively runs the Scorecard on the repository and warn you in case of any Security Practice that may have changed (example: a new workflow was created without top level permissions). It is important to improve the project's supply-chain security.
Would you be interested in a PR which adds this Action? Optionally it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.
Example:
In case of doubts or concerns you can try to check Scorecards FAQ. Anyway, feel free to reach me out, I'll be happy to help or gather feedback.
floitsch
commented
1 year ago
Hi again,
I'd like to suggest a tool that might help on tracking supply-chain security practice improvements, which is the OpenSSF Scorecard Action
It proactively runs the Scorecard on the repository and warn you in case of any Security Practice that may have changed (example: a new workflow was created without top level permissions). It is important to improve the project's supply-chain security.
The action has been adopted by 1800+ projects, having some prominent users such as Tensorflow, Angular, Flutter, sos.dev and deps.dev.
Would you be interested in a PR which adds this Action? Optionally it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.
Example:
In case of doubts or concerns you can try to check Scorecards FAQ. Anyway, feel free to reach me out, I'll be happy to help or gather feedback.