-
Notifications
You must be signed in to change notification settings - Fork 308
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please consider adopting OpenSSF Scorecard #8856
Comments
Hi @another-rex, could you please elaborate more what the exact ask is? Is the ask to improve the scores in those areas where ORT currently seems to perform low? If so, let me comment one some of these:
|
The ask is mostly to use the scorecard github action https://scorecard.dev/#using-the-github-action to keep track of the score, and potentially putting a scorecard badge with the score in your readme: https://github.com/ossf/scorecard/blob/main/README.md#scorecard-badges. The idea is essentially letting potential users know whether the project roughly follows good practices, as a way to help users decide whether to make use of a project.
Thanks for the explanation! I think scorecard does a poor job of explaining the score range, but 6.6 is actually not bad! For example other popular ossf projects (e.g. Allstar) has 7.1. Scorecard tries to score for the general case, so scores like vulnerabilities don't really work for a project like this one with test vulnerabilities. |
This complements the OpenSSF Best Practices badge. Resolves #8856. Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
I'm adding both the action and badge in #8860. @another-rex any idea why the badge shows a score of 6.1 when your manual run shows 6.6? |
This complements the OpenSSF Best Practices badge. Resolves #8856. Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
This complements the OpenSSF Best Practices badge. Resolves #8856. Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
The reason GitHub action score is a bit different is most likely because the scorecard-action has older dependencies compared to the main scorecard (the GitHub action last release is May 20). A new release should be out soon for scorecard action though. |
Hello!
What is the feature you want to request?
OSV.dev is asking future additions to https://github.com/google/osv.dev?tab=readme-ov-file#third-party-tools-and-integrations to consider adopting OpenSSF Scorecard and as a part of that, we're also making the request of existing entrants.
We feel it helps boost the security credibility of the projects and products we're linking to.
Here's the results of a one-time run:
The text was updated successfully, but these errors were encountered: