As suggested by https://openssf.org/blog/2020/11/06/security-scorecards-for-open-source-projects/ add a scorecard: https://github.com/ossf/scorecard We can break this down into several sub-tasks: - [ ] Security-MD | Does the project contain a security policy? - [ ] Contributors | Does the project have contributors from at least two different organizations? - [ ] Frozen-Deps | Does the project declare and freeze dependencies? - [ ] Signed-Releases | Does the project cryptographically sign releases? - [ ] Signed-Tags | Does the project cryptographically sign release tags? - [ ] CI-Tests | Does the project run tests in CI? - [ ] Code-Review | Does the project require code review before code is merged? - [ ] CII-Best-Practices | Does the project have a CII Best Practices Badge? - [ ] Pull-Requests | Does the project use Pull Requests for all code changes? - [ ] Fuzzing | Does the project use OSS-Fuzz? - [ ] SAST | Does the project use static code analysis tools, e.g. CodeQL? - [ ] Active | Did the project get any commits and releases in last 90 days?
As suggested by
https://openssf.org/blog/2020/11/06/security-scorecards-for-open-source-projects/
add a scorecard:
https://github.com/ossf/scorecard
We can break this down into several sub-tasks: