Open wlandau opened 2 weeks ago
This is a great question. :sweat_smile: (I'm no security expert at all)
@tylfin mentioned OSV-Scanner as a possible resource (c.f. https://github.com/rconsortium/r-advisory-database). Apparently we can run it at the level of a whole universe to detect R packages with vulnerabilities or malware.
The group's opinion from today's meeting was that GitHub security scanning and Dependabot is heavy-handed and might not be very effective.
Discussed in https://github.com/r-multiverse/help/discussions/76
I really hope we can delegate to GitHub to handle this. Maybe we require the standard security scanning features to be enabled? @jeroen, @shikokuchuo, @maelle, would that be enough?
What about packages hosted on GitLab? If GitLab doesn't have enough built-in security, maybe we require manual review for those packages, and the bot reminds reviewers to run some sort of ad hoc security scan (not sure what is possible on that front).