[logback-dev] [JIRA] Updates for LOGBACK-1708: Add the OpenSSF Scorecards GitHub Action
QOS.CH (JIRA)
noreply-jira at qos.ch
Tue Nov 22 16:01:00 CET 2022
logback / LOGBACK-1708 [Open]
Add the OpenSSF Scorecards GitHub Action
==============================
Here's what changed in this issue in the last few minutes.
This issue has been created
This issue is now assigned to you.
View or comment on issue using this link
https://jira.qos.ch/browse/LOGBACK-1708
==============================
Issue created
------------------------------
Pedro Kaj Kjellerup Nacht created this issue on 22/Nov/22 3:50 PM
Summary: Add the OpenSSF Scorecards GitHub Action
Issue Type: Improvement
Assignee: Logback dev list
Attachments: sc-gha-example.png
Created: 22/Nov/22 3:50 PM
Labels: security
Priority: Major
Reporter: Pedro Kaj Kjellerup Nacht
Description:
There's been a large increase in [supply-chain attacks|https://www.sonatype.com/state-of-the-software-supply-chain/introduction]. The [OpenSSF|https://openssf.org/] defined logback as one of the most important open-source projects, and has developed the [Scorecards|https://github.com/ossf/scorecard] system to help projects detect how they can improve their security posture. This is done via a series of [checks|https://github.com/ossf/scorecard#scorecard-checks] of repository settings, workflow definitions, etc.
The OpenSSF has also released the [Scorecards GitHub Action|https://github.com/ossf/scorecard-action], which automates these checks. If any possible improvements are detected, they are sent to the project's security dashboard, along with actionable instructions for how to implement these changes (see image attached).
Would there be interest in a PR to implement this Action?
Disclaimer: I work for Google (an OpenSSF founding member), where my full-time role is to help open-source maintainers improve their security.
==============================
This message was sent by Atlassian Jira (v8.8.0#808000-sha1:e2c7e59)
More information about the logback-dev
mailing list