seberg
commented
1 year ago @pnacht yes, we were discussing trying it out to see how it is/goes. So a PR would be a great start for us, I think.
Closed pnacht closed 1 year ago
seberg
commented
1 year ago @pnacht yes, we were discussing trying it out to see how it is/goes. So a PR would be a great start for us, I think.
pnacht
commented
1 year ago @seberg I've submitted a PR which implements the Action. Happy to answer any questions or take any feedback!
Proposed new feature or change:
Hi, I'm Pedro and I'm working for Google and the Open Source Security Foundation to help essential open-source projects improve their supply-chain security. Given that NumPy is, to quote the moto, "the fundamental package for scientific computing with Python," the OpenSSF has identified it as one of the 100 most critical open source projects.
NumPy has already collaborated with the OpenSSF in #20584 (shipping 2FA tokens to NumPy maintainers). Continuing our efforts to improve the security of open-source software, I'd like to suggest the adoption of a new OpenSSF tool, the Scorecards GitHub Action.
The Scorecards system runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, in partnership with GitHub.
The Action performs these checks automatically after every commit to the main branch. The results of its checks are available on the project's security dashboard, and include suggestions on how to solve any issues (see an example below). It's already been adopted by 1800+ projects, including Tensorflow, PyTorch, Angular, and Flutter.
Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.
If you have any questions about Scorecards, you can check out its FAQ or just ask me!