-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OSSF Scorecard GitHub Action to OSPO GitHub Actions #84
Comments
Outstanding question from @zkoppert:
🤔 |
It would be cool if we could automatically open an issue when the scorecard goes below some threshold. |
One of our biggest issues is pip dependencies not hashed. A good solution to this is moving to pipenv aka I'm testing this move in github/stale-repos#132 I've found two issues though:
|
Relates to github/github-ospo#84 Relates to github/github-ospo#95 - [x] setup OSSF scorecard github action - [x] setup OSSF scorecard readme badge - [x] change current GitHub Actions to use SHAs instead of tags Signed-off-by: jmeridth <[email protected]>
Relates to github/github-ospo#84 Relates to github/github-ospo#95 - [x] setup OSSF scorecard github action - [x] setup OSSF scorecard readme badge - [x] change current GitHub Actions to use SHAs instead of tags Signed-off-by: jmeridth <[email protected]>
Relates to github/github-ospo#84 Relates to github/github-ospo#95 - [x] setup OSSF scorecard github action - [x] setup OSSF scorecard readme badge - [x] change current GitHub Actions to use SHAs instead of tags Signed-off-by: jmeridth <[email protected]>
Relates to github/github-ospo#84 Relates to github/github-ospo#95 - [x] setup OSSF scorecard github action - [x] setup OSSF scorecard readme badge - [x] change current GitHub Actions to use SHAs instead of tags Signed-off-by: jmeridth <[email protected]>
Relates to github/github-ospo#84 Relates to github/github-ospo#95 - [x] setup OSSF scorecard github action - [x] setup OSSF scorecard readme badge - [x] change current GitHub Actions to use SHAs instead of tags Signed-off-by: jmeridth <[email protected]>
Relates to github/github-ospo#84 Relates to github/github-ospo#95 - [x] setup OSSF scorecard github action - [x] setup OSSF scorecard readme badge - [x] change current GitHub Actions to use SHAs instead of tags Signed-off-by: jmeridth <[email protected]>
Relates to github/github-ospo#84 Relates to github/github-ospo#95 - [x] setup OSSF scorecard github action - [x] setup OSSF scorecard readme badge - [x] change current GitHub Actions to use SHAs instead of tags Signed-off-by: jmeridth <[email protected]>
Relates to github/github-ospo#84 Relates to github/github-ospo#95 - [x] setup OSSF scorecard github action - [x] setup OSSF scorecard readme badge - [x] change current GitHub Actions to use SHAs instead of tags Signed-off-by: jmeridth <[email protected]>
This is complete. We will iterate through the remediations. |
Is your feature request related to a problem?
No visibilty of supply chain security in our GitHub Actions
Related OSPO Tool
automatic-contrib-prs GitHub Action, cleanowners GitHub Action, contributors GitHub Action, evergreen GitHub Action, issues-metrics GitHub Action, stale-repos GitHub Action
Describe the solution you'd like
Summary
Add the OSSF Scorecard GitHub Action so we can have automated supply chain security detection. Allows us to add badge to README to show users we are using open source security tooling.
Corresponding Work
Add Tasks that ladder up to this batch
Dependencies
OSSF Scorecard GitHub Action
Supporting Documentation
OSSF Scorecard GitHub Action
Describe alternatives you've considered
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: