Hey, I'm Diogo and I've raised the issues #139 and #142 contributing with some security enhancements. I'll happily continue contributing with such improvements (it's literally my job, see my profile), but this time I come to suggest the tool that I used myself to find those security issues.
I'd like to suggest that the project add the OpenSSF Scorecard Action. The OpenSSF Scorecard uses GitHub's public API to gather public informations about your project and runs a sort of "meta-analysis" of the project's security posture. The installed action would populate the project's Security Panel with possible improvements to its security posture. It's specially helpful to ensure you won't regress on the security measures you have already adopted 😄.
Additionally, the tool integrates with the OSV Scanner, which evaluates a project's transitive dependencies looking for known vulnerabilities.
Hey, I'm Diogo and I've raised the issues #139 and #142 contributing with some security enhancements. I'll happily continue contributing with such improvements (it's literally my job, see my profile), but this time I come to suggest the tool that I used myself to find those security issues.
I'd like to suggest that the project add the OpenSSF Scorecard Action. The OpenSSF Scorecard uses GitHub's public API to gather public informations about your project and runs a sort of "meta-analysis" of the project's security posture. The installed action would populate the project's Security Panel with possible improvements to its security posture. It's specially helpful to ensure you won't regress on the security measures you have already adopted 😄.
Additionally, the tool integrates with the OSV Scanner, which evaluates a project's transitive dependencies looking for known vulnerabilities.
This tool is developed by the OpenSSF in partnership with GitHub and it's already been adopted by 1800+ projects, including Tensorflow, PyTorch, Angular, and Flutter.
If you're interested, let me know and I'll send a PR!