cartography icon indicating copy to clipboard operation
cartography copied to clipboard

Published 20 hours ago verified publisher icon lyft

Add ossf scorecard

Open juju4 opened this issue 2 years ago • 4 comments

You will need to create a personal access token as only apply to master/main and registration must be by project owner. This support supply chain risk assessment and auditing.

See also https://github.com/marketplace/actions/ossf-scorecard-action https://github.com/ossf/scorecard#using-scorecards-1 https://securityscorecards.dev/

juju4 avatar Nov 19 '22 18:11 juju4

Hi, what does this PR try to do? If it involves using a PAT then I don't think we will be able to merge it in.

achantavy avatar Dec 30 '22 19:12 achantavy

Please read above links. This is to give trust to users that there is limited supply chain risk.

PAT is up to maintainer to set as this can only apply to default branch.

Examples with badges from https://github.com/search?q=Scorecards+supply-chain+security&type=commits https://github.com/PyCQA/pylint https://github.com/pandora-analysis/pandora

Trust that this kind of news can be avoided https://www.bleepingcomputer.com/news/security/pytorch-discloses-malicious-dependency-chain-compromise-over-holidays/

juju4 avatar Jan 07 '23 16:01 juju4

The OSSF Scorecard is a nice to have.

This change basically is the changes following the setup steps https://github.com/marketplace/actions/ossf-scorecard-action

We can get this MR merged and then update the image SHA256 to latest.

chandanchowdhury avatar Jun 28 '24 03:06 chandanchowdhury

Note: This CI job runs once a week against the main branch (not for every MR or branch)

chandanchowdhury avatar Jun 28 '24 14:06 chandanchowdhury