Enable OpenSSF Scorecard Action
joycebrum opened this issue · comments
Hi again, I'd like to suggest the adoption of the OpenSSF Scorecard Action. It is a tool developed by the Open Source Security Foundation that analyse the project looking for possible improvements regarding supply-chain security practices.
It generates warnings with the findings that (optionally) can be seen in the security dashboard. The project's score can also be optionally shared through a badge.
Let me know if you are interesting on the tool and I can submit a PR configuring it.
Thanks!
@joycebrum I'm happy to try out this tool, if you supply a PR configuring it that'd be great 🙇
How does this tool work can you put me through it
Sure! It uses the GitHub APIs and GraphQL to gather information about the project and understand possible improvements considering a set of criteria.
These criteria are ways to mitigate known supply-chain attack vectors.
The tool is an Open Source Security Foundation initiative to fight the increasing on supply-chain attack incidents.