Skip to content
GitLab
Closed
Issue created by Administrator@rootContributor2 of 2 checklist items completed2/2 checklist items

Enable OpenSSF Scorecard Github Action and Badge

Created by: joycebrum

Prerequisites

Proposal

Hi, I'm Joyce from Google and I'm working on behalf of the Open Source Security Foundation (OpenSSF) to help essential open-source projects improve their supply-chain security.

The OpenSSF has developed, in partnership with GitHub, a tool called Scorecards. Scorecards runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture.

I would like to suggest the adoption of the Scorecard GitHub Action, which was developed by the OpenSSF to make it easier to run the Scorecard checks on projects hosted in Github. The action is very lightweight and runs on every change to the repository's main branch.

Motivation and context

The results of the Scorecard's checks are available on the project's security dashboard, and include suggestions on how to solve any issues (see examples below). The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already, having some prominent users like Tensorflow, Angular, Flutter, sos.dev and deps.dev.

The Bootstrap project is already following most of the supply-chain security best practices (the top 6.6% greatest scorecard scores), but the Scorecard would still help to track other security posture improvements, to guarantee the already followed ones would still be followed, to be up to date to new security best practices since Scorecard is in continuous improvement and, if you opted for the badge, it would also show to the users the project's commitment to security best practices.

Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows the previously mentioned badge with the project's score to be added to the README file.

In case of doubts or concerns you can check out the Scorecards FAQ. Anyway, feel free to reach me out.

Code scanning dashboard with multiple alerts, including Code-Review and Token-Permissions

Detail of a Token-Permissions alert, indicating the specific file and remediation steps