Availability to help on security improvements, and proposal of Scorecards GitHub Action #38215
diogoteles08
started this conversation in
Show and tell
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
What problem does this feature solve?
Hello!
(This will be an Issue with a purpose slightly different than the usual, so I already apologize if I don't follow the templates the best way.)
Given the current scenario of increasing attacks on supply chain projects, Google joined forces with Open Source Security Foundation and hired me to work around important open-source projects and help increase security, in any aspect or concern that might be relevant.
Reading a bit through the project history, I see that you are already concerned about security and that is amazing! Your project got an 7.4 on Scorecards aggregated score, and thus is between the 5,5% projects with highest score between the critical projects according to OpenSSF. However, there is still room for security improvement; and I want to help make your project an even better example for the OS community and contribute to raise the collective level of open source security.
What does the proposed API look like?
Aside from making myself available to any help on security improvement, I would also like to propose the adoption of GitHub Action of Scorecards in your project. It would run the Scorecards checks (the same that gave your 7.4 score I aforementioned) on every change to your main branch. The result would be used to help you easily track possible vulnerabilities and security pendencies, also suggesting fixes.
I'm available to create the PR if you are interested. Also please let me know if you have any further questions.
Thanks for the attention =)
Beta Was this translation helpful? Give feedback.
All reactions