PROCESS CHANGE: Integrate Scorecards V4 into Knative repos

[richterdavid]

Proposed: Integrate the OpenSSF Security Scorecards action into Knative repos.

Scope: github.com/knative/* and github.com/knative-sandbox/* Exceptions: archived repos

Open question: what score does the Knative org aspire to, passing, silver or gold?

Benefits: Clarity on what needs to be done to reach best practices for secure OSS. Blocks some risky/bad submits. Achieving a higher score benefits knative adopters; low scores may impede knative adoption. Visibility to the knative community of issues, which might otherwise be public but not addressed by the knative project.

Costs: Enabling the action on a single repo is fairly easy; see instructions at the first link above. The main cost is in triaging and addressing the reported bugs.

Timeframe: Adding the action could be done in a day, so ASAP. Addressing the revealed issues: depends on the issue triage results and Knative's contributors' throughput.

Who? I'm not an admin, so I can't actually do the scorecards action integration.

Announcement blog posts: https://openssf.org/blog/2022/01/19/reducing-security-risks-in-open-source-software-at-scale-scorecards-launches-v4/ https://security.googleblog.com/2022/01/reducing-security-risks-in-open-source.html

Example metrics for knative/serving: Open SSF metrics

[aliok]

Is this still relevant?

[aliok]

/close

Closing this ticket after 2 years of no activity. Let's reopen if it becomes relevant again.

[knative-prow[bot]]

@aliok: Closing this issue.

In response to this:

/close

Closing this ticket after 2 years of no activity. Let's reopen if it becomes relevant again.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.