Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the OpenSSF Scorecard GitHub Action #99668

Closed
pnacht opened this issue Nov 21, 2022 · 1 comment
Closed

Add the OpenSSF Scorecard GitHub Action #99668

pnacht opened this issue Nov 21, 2022 · 1 comment
Labels
infra CI, GitHub Actions, buildbots, Dependabot, etc. type-feature A feature request or enhancement

Comments

@pnacht
Copy link

pnacht commented Nov 21, 2022
edited by bedevere-app bot
Loading

Feature or enhancement

Add the OpenSSF Scorecard GitHub Action, which performs dozens of automated checks to ensure the project's security posture is solid. The Scorecard is a form of project "meta analysis"; it doesn't detect vulnerabilities in your code, but instead makes sure your settings and security features are following the best practices to minimize the risk of vulnerabilities.

Pitch

Supply-chain attacks are on the rise. Given Python's self-evident importance to the FOSS ecosystem, the OpenSSF has declared CPython one of the most important open-source projects.

The OpenSSF has developed the Scorecard system and accompanying GitHub Action to validate a project's security posture and suggest actionable suggestions (added to the project's security dashboard). And indeed, Scorecards was how the need for #92999 was detected, for instance.

The Action runs on every push to main and lets maintainers know if there's a misstep that weakened the project's security.

Would you be interested in a PR to add this workflow?

If you have any questions, check out the Scorecards FAQ or just ask me!

Disclaimer

I work for Google (an OpenSSF founding member), working full-time to help open-source maintainers improve their projects' security.

Detail of a Token-Permissions alert, indicating the specific file and remediation steps

Linked PRs
@pnacht pnacht added the type-feature A feature request or enhancement label Nov 21, 2022
@iritkatriel iritkatriel added the build The build process and cross-build label Dec 1, 2023
alex-semenyuk added a commit to alex-semenyuk/cpython that referenced this issue Feb 23, 2025
@alex-semenyuk
pythongh-99668: add OpenSSF Scorecard GitHub Action and badge
d493dc7
alex-semenyuk added a commit to alex-semenyuk/cpython that referenced this issue Feb 23, 2025
@alex-semenyuk
pythongh-99668: add OpenSSF Scorecard GitHub Action and badge
bb90fd8
@alex-semenyuk alex-semenyuk mentioned this issue Feb 23, 2025
Closed
alex-semenyuk added a commit to alex-semenyuk/cpython that referenced this issue Feb 23, 2025
@alex-semenyuk
pythongh-99668: add OpenSSF Scorecard GitHub Action and badge
0354575
@picnixz picnixz added infra CI, GitHub Actions, buildbots, Dependabot, etc. and removed build The build process and cross-build labels Feb 23, 2025
@AA-Turner
Copy link
Member

Closing this as not planned. See the rationale in @sethmlarson's comment for further explanation.

A

@AA-Turner AA-Turner closed this as not planned Won't fix, can't repro, duplicate, stale Feb 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
infra CI, GitHub Actions, buildbots, Dependabot, etc. type-feature A feature request or enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@iritkatriel @AA-Turner @picnixz @pnacht