Enable OpenSSF Scorecard Action and Badge #452
Comments
|
Hi Joyce! I’d not be interested in that until my feedback has been incorporated into the scorecard program; in particular, the current scorecard penalizes single-maintainer projects in a way that does nothing to increase security. In addition, using test fuzzing isn’t a best practice unless there’s a way to permanently preserve any failing test input to check for future regressions; and SAST seems like it should be satisfied by linting, which this project does. I’d be happy to discuss further in the OpenSSF Slack if you have any questions; my feedback was originally given while i was a Board member and it still hasn’t been acted upon. |
|
Hi @ljharb, thanks for the feedback, I'll keep an eye on scorecards updates for single maintainers to then bring up the discussion. |
Hi I am Joyce from Google and I'm working on behalf of the Open Source Security Foundation (OpenSSF) to help open source projects to improve their supply-chain security. Considering how qs project is widely used in both open source and private projects, the OpenSSF has identified it as one of the 100 most critical open source projects.
Would you consider adopting an OpenSSF tool, developed in partnership with GitHub, called Scorecards? Scorecards runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture.
The project already follow some of the best practices checked by the scorecard (CI Tests, Contributors, Security Police), but there are important security practices that could be adopted to improve the overall security of the project, such as SAST, Fuzzing, Dependency-Update Tool, etc.
To simplify maintainers' lives, the OpenSSF has also developed the Scorecard GitHub Action, which runs the Scorecards checks through github action on every change on the repository's main branch. It is very lightweight and publishes the result of its checks on the project's security dashboard and include suggestions on how to solve any issues (see examples bellow).
The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already, having some prominent users like Tensorflow, Angular, Flutter, sos.dev and deps.dev.
Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.
In case of doubts or concerns you can try to check Scoreacrds FAQ. Anyway, feel free to reach me out.
The text was updated successfully, but these errors were encountered: