Open harshitasao opened 4 days ago
howardjohn
commented
4 days ago Our current stance in this organization is to not use Github Actions. I don't mind running this check on a manual basis, and improving findings where they make sense, but I don't think we will adopt a github action (nor the badge, given it depends on the action?).
howardjohn
commented
4 days ago Here is the report fwiw
RESULTS
-------
Aggregate score: 7.0 / 10
Check scores:
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 4 / 10 | Branch-Protection | branch protection is not | Info: 'allow deletion' | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#branch-protection |
| | | maximal on development and all | disabled on branch 'master' | |
| | | release branches | Info: 'force pushes' disabled | |
| | | | on branch 'master' Warn: | |
| | | | 'branch protection settings | |
| | | | apply to administrators' is | |
| | | | disable on branch 'master' | |
| | | | Warn: 'stale review dismissal' | |
| | | | is disable on branch 'master' | |
| | | | Warn: required approving | |
| | | | review count is 1 on branch | |
| | | | 'master' Info: codeowner | |
| | | | review is required on branch | |
| | | | 'master' Warn: 'last push | |
| | | | approval' is disable on branch | |
| | | | 'master' Warn: 'up-to-date | |
| | | | branches' is disable on | |
| | | | branch 'master' Info: status | |
| | | | check found to merge onto | |
| | | | on branch 'master' Info: PRs | |
| | | | are required in order to make | |
| | | | changes on branch 'master' | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests | 30 out of 30 merged PRs | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#ci-tests |
| | | checked by a CI test -- score | |
| | | normalized to 10 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 5 / 10 | CII-Best-Practices | badge detected: Passing | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#cii-best-practices |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 7 / 10 | Code-Review | Found 21/30 approved | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#code-review |
| | | changesets -- score normalized | |
| | | to 7 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 31 contributing | Info: fortio contributor | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#contributors |
| | | companies or organizations | org/company found, | |
| | | | GoogleCloudPlatform | |
| | | | contributor org/company | |
| | | | found, kubernetes contributor | |
| | | | org/company found, | |
| | | | ResilienceTesting contributor | |
| | | | org/company found, ibm | |
| | | | contributor org/company | |
| | | | found, aviatrix contributor | |
| | | | org/company found, clickhouse | |
| | | | contributor org/company found, | |
| | | | kubernetes-sigs contributor | |
| | | | org/company found, amalgam8 | |
| | | | contributor org/company | |
| | | | found, netty contributor | |
| | | | org/company found, steamship | |
| | | | contributor org/company found, | |
| | | | ibm @ibm-research and red hat | |
| | | | partner engineer contributor | |
| | | | org/company found, iDigBio | |
| | | | contributor org/company | |
| | | | found, solo.io contributor | |
| | | | org/company found, solo-io | |
| | | | contributor org/company | |
| | | | found, tetrateio contributor | |
| | | | org/company found, istio | |
| | | | contributor org/company found, | |
| | | | roku ex @google @facebook | |
| | | | contributor org/company | |
| | | | found, dotnet contributor | |
| | | | org/company found, ClickHouse | |
| | | | contributor org/company | |
| | | | found, ex-google contributor | |
| | | | org/company found, karmada-io | |
| | | | contributor org/company found, | |
| | | | google contributor org/company | |
| | | | found, microsoft contributor | |
| | | | org/company found, merbridge | |
| | | | contributor org/company found, | |
| | | | grpc contributor org/company | |
| | | | found, IBM contributor | |
| | | | org/company found, google | |
| | | | inc contributor org/company | |
| | | | found, kurator-dev contributor | |
| | | | org/company found, kmesh-net | |
| | | | contributor org/company | |
| | | | found, envoyproxy contributor | |
| | | | org/company found, | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Dangerous-Workflow | no workflows found | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#dangerous-workflow |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Fuzzing | project is fuzzed | Info: OSSFuzz integration found Info: | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#fuzzing |
| | | | GoBuiltInFuzzer integration found: | |
| | | | pilot/pkg/config/kube/gateway/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pilot/pkg/model/fuzz_test.go:29 Info: GoBuiltInFuzzer | |
| | | | integration found: pilot/pkg/model/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pilot/pkg/model/fuzz_test.go:29 Info: GoBuiltInFuzzer | |
| | | | integration found: pilot/pkg/model/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pilot/pkg/networking/core/envoyfilter/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pilot/pkg/networking/core/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pilot/pkg/networking/core/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pilot/pkg/networking/core/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pilot/pkg/networking/core/loadbalancer/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pilot/pkg/networking/util/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pilot/pkg/networking/util/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pilot/pkg/networking/util/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pilot/pkg/security/authz/builder/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pilot/pkg/security/authz/builder/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pilot/pkg/serviceregistry/kube/controller/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pkg/bootstrap/fuzz_test.go:29 Info: GoBuiltInFuzzer | |
| | | | integration found: pkg/config/mesh/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pkg/config/validation/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | pkg/kube/inject/fuzz_test.go:29 Info: | |
| | | | GoBuiltInFuzzer integration found: | |
| | | | security/pkg/k8s/chiron/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | security/pkg/pki/ca/fuzz_test.go:29 Info: GoBuiltInFuzzer | |
| | | | integration found: security/pkg/pki/ra/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | security/pkg/server/ca/authenticate/fuzz_test.go:29 | |
| | | | Info: GoBuiltInFuzzer integration found: | |
| | | | security/pkg/server/ca/fuzz_test.go:29 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#license |
| | | | file: LICENSE:0 Info: FSF or | |
| | | | OSI recognized license: Apache | |
| | | | License 2.0: LICENSE:0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained | 30 commit(s) and 23 issue | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 10 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: containerImage not pinned by hash: cni/deployments/kubernetes/Dockerfile.install-cni:9 Warn: | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | containerImage not pinned by hash: cni/deployments/kubernetes/Dockerfile.install-cni:12 Warn: | |
| | | to 1 | containerImage not pinned by hash: cni/deployments/kubernetes/Dockerfile.install-cni:16 Warn: containerImage | |
| | | | not pinned by hash: docker/Dockerfile.base:1: pin your Docker image by updating ubuntu:noble to | |
| | | | ubuntu:noble@sha256:2e863c44b718727c860746568e1d54afd13b2fa71b160f5cd9058fc436217b30 Warn: containerImage not pinned | |
| | | | by hash: docker/Dockerfile.distroless:5 Warn: containerImage not pinned by hash: istioctl/docker/Dockerfile.istioctl:5 | |
| | | | Warn: containerImage not pinned by hash: operator/docker/Dockerfile.operator:9 Warn: containerImage | |
| | | | not pinned by hash: operator/docker/Dockerfile.operator:12 Warn: containerImage not pinned by hash: | |
| | | | operator/docker/Dockerfile.operator:16 Warn: containerImage not pinned by hash: pilot/docker/Dockerfile.pilot:9 | |
| | | | Warn: containerImage not pinned by hash: pilot/docker/Dockerfile.pilot:12 Warn: containerImage not pinned by hash: | |
| | | | pilot/docker/Dockerfile.pilot:16 Warn: containerImage not pinned by hash: pilot/docker/Dockerfile.proxyv2:9 Warn: | |
| | | | containerImage not pinned by hash: pilot/docker/Dockerfile.proxyv2:12 Warn: containerImage not pinned by hash: | |
| | | | pilot/docker/Dockerfile.proxyv2:16 Warn: containerImage not pinned by hash: pilot/docker/Dockerfile.ztunnel:9 Warn: | |
| | | | containerImage not pinned by hash: pilot/docker/Dockerfile.ztunnel:12 Warn: containerImage not pinned by hash: | |
| | | | pilot/docker/Dockerfile.ztunnel:16 Warn: containerImage not pinned by hash: pkg/test/echo/docker/Dockerfile.app:4 | |
| | | | Warn: containerImage not pinned by hash: pkg/test/echo/docker/Dockerfile.app_sidecar:6 Warn: containerImage | |
| | | | not pinned by hash: pkg/test/echo/docker/Dockerfile.app_sidecar_base:3 Warn: containerImage not pinned | |
| | | | by hash: pkg/test/echo/docker/Dockerfile.app_sidecar_base_centos:3 Warn: containerImage not pinned | |
| | | | by hash: pkg/test/echo/docker/Dockerfile.app_sidecar_centos_8:6 Warn: containerImage not pinned by | |
| | | | hash: samples/bookinfo/src/details/Dockerfile:15: pin your Docker image by updating ruby:3.3.0-slim to | |
| | | | ruby:3.3.0-slim@sha256:d19b39b55078ce9d52c6c6f5ab2aee41b17bee4e18c0bfc734eceaa6f7972c1c Warn: containerImage | |
| | | | not pinned by hash: samples/bookinfo/src/mongodb/Dockerfile:15: pin your Docker image by updating mongo:7.0.5 | |
| | | | to mongo:7.0.5@sha256:5a54d0323fe207d15dc48773a7b9e7e519f83ad94a19c2ddac201d7aae109eb1 Warn: containerImage | |
| | | | not pinned by hash: samples/bookinfo/src/mysql/Dockerfile:15: pin your Docker image by updating mysql:8.3.0 | |
| | | | to mysql:8.3.0@sha256:9de9d54fecee6253130e65154b930978b1fcc336bcc86dfd06e89b72a2588ebe Warn: containerImage | |
| | | | not pinned by hash: samples/bookinfo/src/productpage/Dockerfile:15: pin your Docker image by updating | |
| | | | python:3.12.1-slim to python:3.12.1-slim@sha256:a64ac5be6928c6a94f00b16e09cdf3ba3edd44452d10ffa4516a58004873573e | |
| | | | Warn: containerImage not pinned by hash: samples/bookinfo/src/ratings/Dockerfile:15: pin your Docker image by | |
| | | | updating node:21.6-slim to node:21.6-slim@sha256:2254c337b6f7a239620b3876f8d941c65b7834fb38cdf137decc6191a73502bf | |
| | | | Warn: containerImage not pinned by hash: samples/bookinfo/src/reviews/Dockerfile:15 | |
| | | | Warn: containerImage not pinned by hash: samples/bookinfo/src/reviews/Dockerfile:24: | |
| | | | pin your Docker image by updating open-liberty:24.0.0.1-kernel-slim-java17-openj9 to | |
| | | | open-liberty:24.0.0.1-kernel-slim-java17-openj9@sha256:319577e61b49a562e87ac674a1b9dfa469a1df5278b312276c8dd2f119953be4 | |
| | | | Warn: containerImage not pinned by hash: samples/extauthz/docker/Dockerfile:4 Warn: containerImage not | |
| | | | pinned by hash: samples/helloworld/src/Dockerfile:15: pin your Docker image by updating python:3.12.1-slim | |
| | | | to python:3.12.1-slim@sha256:a64ac5be6928c6a94f00b16e09cdf3ba3edd44452d10ffa4516a58004873573e | |
| | | | Warn: containerImage not pinned by hash: samples/jwt-server/src/Dockerfile:16 Warn: containerImage | |
| | | | not pinned by hash: samples/tcp-echo/src/Dockerfile:16 Warn: containerImage not pinned | |
| | | | by hash: tests/fuzz/Dockerfile.fuzz:14: pin your Docker image by updating golang:1.15 to | |
| | | | golang:1.15@sha256:ea080cc817b02a946461d42c02891bf750e3916c52f7ea8187bccde8f312b59f Warn: containerImage not | |
| | | | pinned by hash: tests/integration/security/fuzz/backends/tomcat/Dockerfile:1: pin your Docker image by updating | |
| | | | tomcat:jdk16-openjdk to tomcat:jdk16-openjdk@sha256:06894e19b914a4e491580d54091ac248d53b0c4c474ff9e55e97e27d9adb45d5 | |
| | | | Warn: containerImage not pinned by hash: tests/integration/security/fuzz/fuzzers/dotdotpwn/Dockerfile:1: | |
| | | | pin your Docker image by updating perl:5.32.1 to | |
| | | | perl:5.32.1@sha256:0878b332b373da22b2128db1251ab5eea32adce7b36eb6e41a7f71b42374a943 Warn: containerImage not pinned | |
| | | | by hash: tests/integration/security/fuzz/fuzzers/jwt_tool/Dockerfile:1: pin your Docker image by updating python:3 to | |
| | | | python:3@sha256:f6d04873f0a67146854270e5f6513ed5e0165557c1b10689f1a20e9e65c8fe8e Warn: npmCommand not pinned by hash: | |
| | | | samples/bookinfo/src/ratings/Dockerfile:28 Warn: goCommand not pinned by hash: tests/fuzz/Dockerfile.fuzz:26-28 Warn: | |
| | | | pipCommand not pinned by hash: tests/integration/security/fuzz/fuzzers/jwt_tool/Dockerfile:11 Info: 2 out of 3 | |
| | | | goCommand dependencies pinned Info: 3 out of 41 containerImage dependencies pinned Info: 3 out of 4 pipCommand | |
| | | | dependencies pinned Info: 0 out of 1 npmCommand dependencies pinned | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | SAST tool is not run on all | Warn: 0 commits out of 30 are | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#sast |
| | | commits -- score normalized to | checked with a SAST tool | |
| | | 0 | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy | security policy file detected | Info: security | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#security-policy |
| | | | policy file detected: | |
| | | | .github/SECURITY.md:1 | |
| | | | Info: Found linked content: | |
| | | | .github/SECURITY.md:1 | |
| | | | Info: Found disclosure, | |
| | | | vulnerability, and/or | |
| | | | timelines in security policy: | |
| | | | .github/SECURITY.md:1 Info: | |
| | | | Found text in security policy: | |
| | | | .github/SECURITY.md:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Signed-Releases | Project has not signed or | Warn: release artifact 1.22.1 not signed: | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#signed-releases |
| | | included provenance with any | https://api.github.com/repos/istio/istio/releases/158886113 | |
| | | releases. | Warn: release artifact 1.21.3 not signed: | |
| | | | https://api.github.com/repos/istio/istio/releases/158886298 | |
| | | | Warn: release artifact 1.20.7 not signed: | |
| | | | https://api.github.com/repos/istio/istio/releases/158886131 | |
| | | | Warn: release artifact 1.22.0 not signed: | |
| | | | https://api.github.com/repos/istio/istio/releases/155591333 | |
| | | | Warn: release artifact 1.22.0-rc.0 not signed: | |
| | | | https://api.github.com/repos/istio/istio/releases/155043179 | |
| | | | Warn: release artifact 1.22.1 does not have provenance: | |
| | | | https://api.github.com/repos/istio/istio/releases/158886113 | |
| | | | Warn: release artifact 1.21.3 does not have provenance: | |
| | | | https://api.github.com/repos/istio/istio/releases/158886298 | |
| | | | Warn: release artifact 1.20.7 does not have provenance: | |
| | | | https://api.github.com/repos/istio/istio/releases/158886131 | |
| | | | Warn: release artifact 1.22.0 does not have provenance: | |
| | | | https://api.github.com/repos/istio/istio/releases/155591333 | |
| | | | Warn: release artifact 1.22.0-rc.0 | |
| | | | does not have provenance: | |
| | | | https://api.github.com/repos/istio/istio/releases/155043179 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Token-Permissions | No tokens found | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#token-permissions |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/309b48b9fd4114d8a7e3d9d4b65bd7862e042e02/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
Rest are 10/10
Hi, I'm Harshita. I’m working with CNCF and the Google Open Source Security Team for the GSoC 2024 term. We are collaborating to enhance security practices across various CNCF projects. The goal is to improve security for all CNCF projects by both using OpenSSF Scorecards and implementing its security improvements.
The Open Source Security Foundation (OpenSSF) Scorecard is a tool designed to evaluate the security posture of open-source projects. This has the Scorecard GitHub Action, which automates the process by running security checks on the GitHub repository. By integrating this Action into the repository's workflow, developers can continuously monitor the project’s security posture. The Scorecard checks cover various security best practices and provide scores for multiple categories. Some checks include Code Reviews, Branch Protection, Signed Releases, etc.
The workflow runs on every change in the main branch. It publishes the Scorecard checks' results to the project's security dashboard and includes suggestions on how to solve any issues. This Action has already been adopted by 1800+ projects, with prominent users like Tensorflow, Angular, sos.dev, deps.dev, and many CNCF projects.
Once the Scorecard GitHub Action is set up and running, the results can be displayed as a badge in the repository's README file. This badge serves as a quick indicator of the project's security posture, helping users and contributors evaluate the project's security practices quickly.
Why is this needed:
The OpenSSF Scorecard improves open-source project's security by providing automated, transparent assessments of their security practices. It will help you identify vulnerabilities, adhere to best practices, and continuously enhance your security posture, increasing user trust and reducing the risk of security exploits.
I'll be the one to create the PR to add the scorecard GitHub action, and I will also work with you to remediate the identified vulnerabilities. I'll go through each scorecard check to see where the score has dropped and how it can be improved.
Would you be interested in a PR which adds this Action?
/cc @joycebrum @diogoteles08 @pnacht @nate-double-u