Enable OpenSSF Scorecard Github Action and Badge
Created by: joycebrum
Prerequisites
-
I have searched for duplicate or closed feature requests -
I have read the contributing guidelines
Proposal
Hi, I'm Joyce from Google and I'm working on behalf of the Open Source Security Foundation (OpenSSF) to help essential open-source projects improve their supply-chain security.
The OpenSSF has developed, in partnership with GitHub, a tool called Scorecards. Scorecards runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture.
I would like to suggest the adoption of the Scorecard GitHub Action, which was developed by the OpenSSF to make it easier to run the Scorecard checks on projects hosted in Github. The action is very lightweight and runs on every change to the repository's main branch.
Motivation and context
The results of the Scorecard's checks are available on the project's security dashboard, and include suggestions on how to solve any issues (see examples below). The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already, having some prominent users like Tensorflow, Angular, Flutter, sos.dev and deps.dev.
The Bootstrap project is already following most of the supply-chain security best practices (the top 6.6% greatest scorecard scores), but the Scorecard would still help to track other security posture improvements, to guarantee the already followed ones would still be followed, to be up to date to new security best practices since Scorecard is in continuous improvement and, if you opted for the badge, it would also show to the users the project's commitment to security best practices.
Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows the previously mentioned badge with the project's score to be added to the README file.
In case of doubts or concerns you can check out the Scorecards FAQ. Anyway, feel free to reach me out.