-
Notifications
You must be signed in to change notification settings - Fork 858
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Scorecard Action #1400
Add Scorecard Action #1400
Conversation
Thnx for the PR. Prefer to not have the change to the readme included, as the readme is ready for an overhaul as it is and rather include it when we do that overhaul |
@diogoteles08 any thoughts as to why Have added one follow-up case to improve the score: #1404 |
And #1405 |
This reverts commit 9976ad4.
Sure! Concerning Concerning Additionally, I'd add that even after adopting the action, the Branch Protection check will only be able to recognize some the rules adopted, also because of lack of permissions. This specific check will run 100% if you:
Now about the issue/PR you have raised to solve other Scorecard recommendation, way to go! 😃 Happy to see your engagement and wishing those improvements land well ^^ |
Thanks for doing this -- I would indeed like to include this stuff in the README sooner or later but we can do that when the time comes. |
Sadly this doesn't run because the mozilla organization doesn't recognize "ossf" as a source of trusted GitHub Actions. I need to track down a Mozilla GitHub admin (good luck on that) and see if I can figure it out. |
Or we take this as an incentive to move the rhino repo to the new rhino org 😎 |
Set up a scan for the Open Source Security Dashboard (see https://openssf.org/blog/2022/09/08/show-off-your-security-score-announcing-scorecards-badges/)
Oh that's unfortunate, hope you can track down the admin for that. Please let me know if I can be of any more help |
Closes #1354
I also took the liberty of adding the Scorecard badge to your README. As I told you in the issue, Scorecard also has a Customer-faced side that helps customers evaluate the security posture of packages they want to use. The badge is a great way to show off your hard work!
(as much as it can look like a "not so good" score, a 6.7 score is a great score! It puts mozilla/rhino among the top 10% of relevant projects 😄)
Anyway, If you'd rather not add the badge or put it somewhere else, let me know and I can work on that as well
Cheers