Use LFX Security Platform

[tsteenbe]

ORT could also apply LFX Security Platform, to do so we need to provide below data:

• Project Name: OSS Review Toolkit
• Project Accent Color: Hex color
• Topic/Category: Dependency Management and Software Bill of Materials are existing categories or should we create a new one
• Elevator Pitch: (Briefly introduce your project)
• Repository URL: https://github.com/oss-review-toolkit/ort
• Core Infrastructure Initiative: Need to apply for CI project ID at https://www.coreinfrastructure.org/programs/best-practices-program/
• Project Contributors (Add your key cont

ributors of your team who can also benefit from fund raise) -> Contributor Name + Contributor Email for each core contributor

LFX Security Platform decisions to be made by ORT TSC:

2. Do we also want to apply LF Security Platform? (Get Snyk scans for ORT) If yes, then: A. What is our project color? B. In which category do we want to be listed? Dependency Management or ...? C. What is our elevator pitch? D. Do we want to apply for a CII badge?

[sschuberth]

In a video call this morning I learned from @ShubhraKar that LFX is not only about security, but also about Insights. I've enrolled ORT to get some nice statistics and visibility on the LFX platform.

Regarding security, I guess nothing speaks against signing up to that service, too. I also learned that Snyk seems to provide special conditions to LF projects in general, not just LFX, so we should check with @ShubhraKar to integrate Snyk into ORT as an advisor.

[sschuberth]

FYI, LFX Security on-boarding is tracked via https://jira.linuxfoundation.org/browse/LFXSEC-274. LFX Insights on-boarding is tracked via https://jira.linuxfoundation.org/plugins/servlet/theme/portal/4/SUPPORT-3923.

[sschuberth]

The Insights page for ORT is live: https://insights.lfx.linuxfoundation.org/projects/act%2Fort/dashboard