Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSF scorecard for member subprojects #14

Open
planetf1 opened this issue Feb 20, 2024 · 2 comments
Open

OpenSSF scorecard for member subprojects #14

planetf1 opened this issue Feb 20, 2024 · 2 comments
Assignees

Comments

@planetf1
Copy link
Contributor

planetf1 commented Feb 20, 2024

I suggest we generate OpenSSF Scorecards for each project we add to PQCA (and consider same for open-quantum-safe - I can open there)

We are offering assets in the security space - cryptography. We have discussed assurance of those assets in algorithmic terms, but there are additional criteria relating to the management of the project in github, packaging, dependencies, workflows, contributor diversity, and use of various tools.

scorecards are becoming more discussed as we all worry about supply-chain security, and some organizations are using them as criteria as to which projects can be used.

The tests can be done automatically in a github action to at least generate a local report - can consider later how to share further.

I think by doing this we add credibility - even though initially we will likely fail on multiple criteria, but it gives us a best-practice list to work to

@planetf1
Copy link
Contributor Author

planetf1 commented Mar 5, 2024

FYI initial PR made for liboqs. some minor findings. Agreed to get the checks clean before merge & publish.

@planetf1
Copy link
Contributor Author

I have added this to the template repository projects may use for the hackathon (if starting from scratch) at template-code. It will identify some deficiencies, but this is to be expected when starting and provides one target to work to.

@planetf1 planetf1 changed the title Discuss having OpenSSF scorecard for member subprojects OpenSSF scorecard for member subprojects Aug 19, 2024
@planetf1 planetf1 self-assigned this Sep 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Ready
Development

No branches or pull requests

1 participant