OpenSSF scorecard + openSSF best practice.

[AugustinMauroy]

OpenSSF scorecard is a super tools done by the OpenSSF to give a security score of an repo.

• openSSF scorecard docs

Best practice is giving a tier for the accomplished good open source practice of the project.

• bestpractices website

[madolson]

Seems a bit low priority, given what it provides us and we don't have a lot of dependencies.

[AugustinMauroy]

Seems a bit low priority, given what it provides us and we don't have a lot of dependencies.

I think you misunderstood what is openSSF scorecard. It's not a dependency analyser, it's a project analyser like codeQL. It's take a look if someone push commit directly on main, if there a ci, if releases is signed ...

[madolson]

Ok, I'll take a look at adding it then and see if we find it useful.

[zuiderkwast]

@bjosv Is this what you did in some other projects?

[bjosv]

Yes, I'm currently looking into OpenSSFs suggestions and I see there are good suggestions that we easily can fix in valkeys CI workflows. I can fix those in a PR, but then there are other improvement like branch-protection that you maintainers need to config in the project settings.

[bjosv]

I ran OpenSSFs tool on the project and the current scorecard is not bad: Aggregate score: 7.0 / 10 but it will be improved by the fixes.

[AugustinMauroy]

I ran OpenSSFs tool on the project and the current scorecard is not bad: Aggregate score: 7.0 / 10 but it will be improved by the fixes.

there are a GitHub action to automatically get score.

[zuiderkwast]

Here is a bunch of compiler warnings (and more) to use specifically for C:

https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++

We can add the easy ones without any problem. Contributions are welcome.

[AugustinMauroy]

We should add CI + badge for openSSF scorecard in this repo and continue on other repo