Details
-
Improvement
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
Description
There's been a large increase in supply-chain attacks. The OpenSSF defined logback as one of the most important open-source projects, and has developed the Scorecards system to help projects detect how they can improve their security posture. This is done via a series of checks of repository settings, workflow definitions, etc.
The OpenSSF has also released the Scorecards GitHub Action, which automates these checks. If any possible improvements are detected, they are sent to the project's security dashboard, along with actionable instructions for how to implement these changes (see image attached).
Would there be interest in a PR to implement this Action?
Disclaimer: I work for Google (an OpenSSF founding member), where my full-time role is to help open-source maintainers improve their security.