You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I am Joyce and I'm working on behalf of Google and the Open Source Security Foundation (OpenSSF) to help essential open-source projects improve their supply-chain security.
I would like to suggest the adoption of an OpenSSF tool called Scorecard. The Scorecard runs dozens of automated checks to help maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, in partnership with GitHub.
To make it even easier to the maintainers, the OpenSSF has also developed the Scorecard GitHub Action, which is very lightweight and publishes the results on the project's security dashboard with suggestions on how to solve any issues (see examples below). The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already, having some prominent users like Tensorflow, Angular, Flutter, sos.dev and deps.dev.
Considering how the Async project already follows some of the security best practices, the Scorecard Github Action would help you on working to follow the other security best practices and guarantee that the current followed ones will not get lost in future changes.
Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.
In case of doubts or concerns you can try to check Scorecards FAQ. Anyway, feel free to reach me out 😄.
The text was updated successfully, but these errors were encountered:
Hi, I am Joyce and I'm working on behalf of Google and the Open Source Security Foundation (OpenSSF) to help essential open-source projects improve their supply-chain security.
I would like to suggest the adoption of an OpenSSF tool called Scorecard. The Scorecard runs dozens of automated checks to help maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, in partnership with GitHub.
To make it even easier to the maintainers, the OpenSSF has also developed the Scorecard GitHub Action, which is very lightweight and publishes the results on the project's security dashboard with suggestions on how to solve any issues (see examples below). The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already, having some prominent users like Tensorflow, Angular, Flutter, sos.dev and deps.dev.
Considering how the Async project already follows some of the security best practices, the Scorecard Github Action would help you on working to follow the other security best practices and guarantee that the current followed ones will not get lost in future changes.
Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.
In case of doubts or concerns you can try to check Scorecards FAQ. Anyway, feel free to reach me out 😄.
The text was updated successfully, but these errors were encountered: