Hello, I am Joyce and I'm working on behalf of Google and the Open Source Security Foundation to help essential open-source projects improve their supply-chain security. Given impact that ClickHouse has on many companies of all sizes, the OpenSSF has identified it as one of the 100 most critical open source projects.
Describe the solution you'd like
Would you consider adopting an OpenSSF tool called Scorecards? Scorecards runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, in partnership with GitHub.
To simplify maintainers' lives, the OpenSSF has also developed the Scorecard GitHub Action. It is very lightweight and runs on every change to the repository's main branch. The results of its checks are available on to the project's security dashboard, and include suggestions on how to solve any issues (see examples in the Additional context). The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already.
Considering how critical is the role ClickHouse has on most projects, improving the security of the project following the tips and insights from Scorecard could be a good way to improve the overall security and guarantee that the ClickHouse Github Project is mostly secure from malicious sabotage.
Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.
Any doubts or concerns please share them with me.
Additional context
Hello, I am Joyce and I'm working on behalf of Google and the Open Source Security Foundation to help essential open-source projects improve their supply-chain security. Given impact that ClickHouse has on many companies of all sizes, the OpenSSF has identified it as one of the 100 most critical open source projects.
Describe the solution you'd like
Would you consider adopting an OpenSSF tool called Scorecards? Scorecards runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, in partnership with GitHub.
To simplify maintainers' lives, the OpenSSF has also developed the Scorecard GitHub Action. It is very lightweight and runs on every change to the repository's main branch. The results of its checks are available on to the project's security dashboard, and include suggestions on how to solve any issues (see examples in the Additional context). The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already.
Considering how critical is the role ClickHouse has on most projects, improving the security of the project following the tips and insights from Scorecard could be a good way to improve the overall security and guarantee that the ClickHouse Github Project is mostly secure from malicious sabotage.
Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.
Any doubts or concerns please share them with me.
Additional context