Open lyndon160 opened 1 year ago
The security-insights-spec (OSSF) appears to specify a template for threat modelling, perhaps the scorecard could align to this.
Stale issue message - this issue will be closed in 7 days
This issue is stale because it has been open for 60 days with no activity.
This issue has been marked stale because it has been open for 60 days with no activity.
Is your feature request related to a problem? Please describe. The scorecard is a useful tool to 1) help maintainers follow best practice, but also 2) provide assurance for users of the software.
Currently threat modeling is not included as a check. The existence and maintenance of a threat model can be considered a best practice. It demonstrates the following:
Describe the solution you'd like Threat model becomes a new scorecard check. This would assess both a threat model's presence, as well as how frequently it is reviewed/maintained.
Additional context Whilst I see the addition of threat modeling as a value add, I can see a number of challenges to get the check working smoothly:
Despite these hurdles, I think there's value in agreeing on a file name, and assessing at least the presence of a model.
Happy to help with the implementation of this if it is deemed a worthy feature.