From: "joycebrum (Joyce Brum)" <noreply@...>
Date: 2022-10-17T19:13:38+00:00
Subject: [ruby-core:110373] [Ruby master Feature#19066] Enable Scorecard Github Action

Issue #19066 has been reported by joycebrum (Joyce Brum).

----------------------------------------
Feature #19066: Enable Scorecard Github Action
https://bugs.ruby-lang.org/issues/19066

* Author: joycebrum (Joyce Brum)
* Status: Open
* Priority: Normal
----------------------------------------
Hi, I am Joyce and I'm working on behalf of Google and the [Open Source Security Foundation](https://openssf.org/) to help essential open-source projects improve their supply-chain security.

Would you consider adopting an OpenSSF tool called [Scorecards][sc]? Scorecards runs dozens of automated security [checks][checks] to help maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, [in partnership with GitHub][sc-blog].

Considering how Ruby project is largely used, it is important to guarantee a good security posture for the project. The scorecard tool can help you on identifying what are the security practices that would improve the project's supply-chain security and what you have to do to accomplish them.

To simplify maintainers' lives, the OpenSSF has also developed the [Scorecard GitHub Action][sc-gha]. It is very lightweight and runs on every change to the repository's main branch. The results of its checks are available on the project's [security dashboard](https://github.com/ruby/ruby/security), and include suggestions on how to solve any issues (some examples are attached). The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already, having some prominent users like [Tensorflow][tensorflow], [Angular][angular], [Flutter][flutter], [sos.dev][sos-dev] and [deps.dev][deps-dev].

Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a [badge][badge] with the project's score to be added to its README.

In case of doubts or concerns you can try to check [Scorecards FAQ][FAQ] or just reach out to me.

[badge]: https://openssf.org/blog/2022/09/08/show-off-your-security-score-announcing-scorecards-badges/
[checks]: https://github.com/ossf/scorecard#scorecard-checks
[sc]: https://github.com/ossf/scorecard
[sc-blog]: https://github.blog/2022-01-19-reducing-security-risk-oss-actions-opensff-scorecards-v4/
[sc-gha]: https://github.com/ossf/scorecard-action
[FAQ]: https://github.com/ossf/scorecard/blob/main/docs/faq.md#frequently-asked-questions
[img-security]: https://user-images.githubusercontent.com/15221358/190184391-84ca1844-259a-4b3b-9c86-74adadbea7f1.png
[img-detail]: https://user-images.githubusercontent.com/15221358/190184600-ee8d3b39-077e-416a-8711-1b5fb01cf0b3.png

[tensorflow]: https://github.com/tensorflow/tensorflow
[Angular]: https://github.com/angular/angular  
[Flutter]: https://github.com/flutter/flutter 
[sos-dev]: https://sos.dev/ 
[deps-dev]: https://deps.dev/ 


---Files--------------------------------
token-permission.png (571 KB)
security-dashboard.png (620 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>