Hi again, I'd like to suggest the adoption of the OpenSSF Scorecard Action. It is a tool developed by the Open Source Security Foundation that analyse the project looking for possible improvements regarding supply-chain security practices.

It generates warnings with the findings that (optionally) can be seen in the security dashboard. The project's score can also be optionally shared through a badge.

Let me know if you are interesting on the tool and I can submit a PR configuring it.

Thanks!

@joycebrum I'm happy to try out this tool, if you supply a PR configuring it that'd be great 🙇

How does this tool work can you put me through it

Sure! It uses the GitHub APIs and GraphQL to gather information about the project and understand possible improvements considering a set of criteria.

These criteria are ways to mitigate known supply-chain attack vectors.

The tool is an Open Source Security Foundation initiative to fight the increasing on supply-chain attack incidents.