Open AugustinMauroy opened 3 months ago
Seems a bit low priority, given what it provides us and we don't have a lot of dependencies.
Seems a bit low priority, given what it provides us and we don't have a lot of dependencies.
I think you misunderstood what is openSSF scorecard. It's not a dependency analyser, it's a project analyser like codeQL. It's take a look if someone push commit directly on main, if there a ci, if releases is signed ...
Ok, I'll take a look at adding it then and see if we find it useful.
@bjosv Is this what you did in some other projects?
Yes, I'm currently looking into OpenSSFs suggestions and I see there are good suggestions that we easily can fix in valkeys CI workflows. I can fix those in a PR, but then there are other improvement like branch-protection that you maintainers need to config in the project settings.
I ran OpenSSFs tool on the project and the current scorecard is not bad: Aggregate score: 7.0 / 10
but it will be improved by the fixes.
I ran OpenSSFs tool on the project and the current scorecard is not bad: Aggregate score: 7.0 / 10 but it will be improved by the fixes.
there are a GitHub action to automatically get score.
Here is a bunch of compiler warnings (and more) to use specifically for C:
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++
We can add the easy ones without any problem. Contributions are welcome.
We should add CI + badge for openSSF scorecard in this repo and continue on other repo
OpenSSF scorecard is a super tools done by the OpenSSF to give a security score of an repo.
Best practice is giving a tier for the accomplished good open source practice of the project.