Hey, it's Pedro and I'm back (see #563 and #582) with another security suggestion:

I detected the issues fixed by those PRs by using Scorecard. It's a tool that scans a repository looking for settings that may make the project more vulnerable to supply-chain threats.

It is also available as the Scorecard Action, which continuously monitors the repository and adds security suggestions directly to the project's Security Panel. In doing so, it can let you know if something accidentally lowers the project's security posture.

I'll send a PR along with this issue adding the Action.

Spoiler alert: flex's current score of 7.2/10 places it in the top 5% of projects important to the open-source ecosystem!

What's the code scanning part of the Security Panel look like? I see that the action is running on the Scorecard repo itself, but I get a 404 on its code-scanning page.

Edit: Nevermind, I see it's a page controlled by user/repo permissions.

Yeah, that page is only visible to maintainers. But here's an example of what it'll look like with Scorecard's results:

Each of those items lead to a page that explains why each thing is important and how to remediate the issue. Here's an example:

You can dismiss any alerts you believe don't apply or aren't reasonable/feasible for your project, and those alerts won't be raised again.