Add the OpenSSF Scorecard Action
Hey, I'm Pedro and I'm working for Google and the OpenSSF to improve the supply-chain security of open-source projects. Given ceph's popularity, the OpenSSF considers it one of the most critical open-source projects.
I'd like to offer the Scorecard GitHub Action, which scans the repository for potential improvements to its security posture. It does this via dozens of checks on repository configurations and parsing workflow files. By running on every push, it identifies any potential regressions and offers actionable suggestions on how to improve the project's security posture.
I've seen Ceph is already working on the OpenSSF (formerly CII) Best Practices Program. Scorecards is simply another means by which the OpenSSF is trying to help projects improve their security.
Would you be interested in a PR to see the Action... in action?
I've attached a screenshot of how the Action presents its feedback.