cartography icon indicating copy to clipboard operation
cartography copied to clipboard
verified publisher icon lyft

[Feature Request] Add OpenSSF Scorecard information

Open heryxpc opened this issue 1 year ago • 0 comments

Title: Ingest OpenSSF scorecard information

Description: Create a new node OpenSSFScorecard with Github's scorecard checks for every project ingested. An OpenSSF scorecard is a serious of checks that can be useful to surface the security posture of a project. See for example https://scorecard.dev/viewer/?uri=github.com/lyft/cartography Checks can be used as an overall score or in an individual form, for example to determine if the project is actively maintained (which could reflect if cadence of security fixes).

The information can be queried using a public API, for example https://api.securityscorecards.dev/projects/github.com/lyft/cartography

This could be a separate intel module or a submodule from https://github.com/lyft/cartography/blob/master/cartography/intel/github

[optional Relevant Links:] https://openssf.org/projects/scorecard/ https://openssf.org/blog/2024/04/17/beyond-scores-with-openssf-scorecard-granular-structured-results-for-custom-policy-enforcement/ https://api.securityscorecards.dev/

heryxpc avatar Aug 28 '24 12:08 heryxpc