Project

General

Profile

Feature #58010

Add the OpenSSF Scorecard Action

Added by Pedro Nacht 3 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

Hey, I'm Pedro and I'm working for Google and the OpenSSF to improve the supply-chain security of open-source projects. Given ceph's popularity, the OpenSSF considers it one of the most critical open-source projects.

I'd like to offer the Scorecard GitHub Action, which scans the repository for potential improvements to its security posture. It does this via dozens of checks on repository configurations and parsing workflow files. By running on every push, it identifies any potential regressions and offers actionable suggestions on how to improve the project's security posture.

I've seen Ceph is already working on the OpenSSF (formerly CII) Best Practices Program. Scorecards is simply another means by which the OpenSSF is trying to help projects improve their security.

Would you be interested in a PR to see the Action... in action?

I've attached a screenshot of how the Action presents its feedback.

scorecard-example.png View (571 KB) Pedro Nacht, 11/11/2022 05:50 PM

Also available in: Atom PDF