Add Scorecard for supply-chain security #37249
Unanswered
gabibguti
asked this question in
Ideas / Feature Requests
Replies: 2 comments
-
|
Thanks @gabibguti! I've opened an internal ticket to review Scorecard further to see if it's something we would want to integrate into our processes. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Summary
Add Scorecard tool to identify supply-chain security improvements.
Motivation
Supply-chain attacks have been increasing over the last years. The attacks aim to add malicious code to your project through build, release and other phases of development. To avoid future log4j cases, it's important keep track of our project's supply-chain security. This can be done by ensuring the code is reviewed on PRs, binary files are avoided, branch protection is enabled, amongst other things.
In order to help identify supply-chain security improvements, OSSF has created Scorecard tool. Scorecard can be added as a GHA, which checks your project periodically and reports problems to your Security Dashboard.
Additional context
I'm Gabriela and I work on behalf of Google suggesting supply-chain improvements to open-source critical projects like gatsby.
If you consider adding Scorecard or have questions about supply-chain security, let me know!
Beta Was this translation helpful? Give feedback.
All reactions