nashif
commented
1 year ago Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.
sure, please submit a PR.
pnacht
Is your enhancement proposal related to a problem? Please describe. Open-source supply-chain attacks are increasing every year. Beyond the infamous SolarWinds and Codecov attacks, there have also been multiple smaller but significant supply-chain disruptions such as left-pad, colors/faker.js, coa/rc and ua-parser-js.
Describe the solution you'd like I'm working on behalf of Google and the Open Source Security Foundation (also a Linux Foundation project) to help essential open-source projects improve their supply-chain security. Given Zephyr's significant position in the RTOS space, the OpenSSF has identified it as one of the 100 most critical open-source projects.
Would you consider adopting an OpenSSF tool called Scorecards? Scorecards runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, in partnership with GitHub.
I see Zephyr already has the OpenSSF Best Practices badge (gold, very nice!) and even created an entire project a while ago to get it to silver. It even had a PR to improve an aspect of the project's posture based on Scorecards feedback a while back (#47074).
However, to further assist in this effort, the OpenSSF has also developed the Scorecard GitHub Action. It effectively tries to perform a continuous monitoring of the project's security posture. This is in no way a replacement of your current Best Practices badge; the Action simply tries to objectively inform the project of possible improvements to its security posture.
The Action is very lightweight and runs on every change to the repository's main branch. The results of its checks are available on the project's security dashboard, and include suggestions on how to solve any issues (see examples below). The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already.
Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.