libuta icon indicating copy to clipboard operation
libuta copied to clipboard
verified publisher icon siemens

Add OpenSSF Scorecard

Open StefanSchroeder opened this issue 5 years ago • 0 comments

As suggested by

https://openssf.org/blog/2020/11/06/security-scorecards-for-open-source-projects/

add a scorecard:

https://github.com/ossf/scorecard

We can break this down into several sub-tasks:

  • [ ] Security-MD | Does the project contain a security policy?
  • [ ] Contributors | Does the project have contributors from at least two different organizations?
  • [ ] Frozen-Deps | Does the project declare and freeze dependencies?
  • [ ] Signed-Releases | Does the project cryptographically sign releases?
  • [ ] Signed-Tags | Does the project cryptographically sign release tags?
  • [ ] CI-Tests | Does the project run tests in CI?
  • [ ] Code-Review | Does the project require code review before code is merged?
  • [ ] CII-Best-Practices | Does the project have a CII Best Practices Badge?
  • [ ] Pull-Requests | Does the project use Pull Requests for all code changes?
  • [ ] Fuzzing | Does the project use OSS-Fuzz?
  • [ ] SAST | Does the project use static code analysis tools, e.g. CodeQL?
  • [ ] Active | Did the project get any commits and releases in last 90 days?

StefanSchroeder avatar Nov 12 '20 18:11 StefanSchroeder