Skip to content

gh-99668: Add OpenSSF Scorecard GitHub Action and badge #130485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from

Conversation

alex-semenyuk
Copy link
Contributor

@alex-semenyuk alex-semenyuk commented Feb 23, 2025

Add OpenSSF Scorecard GitHub Action which performs dozens of automated
checks to ensure the project's security posture is solid and badge which
shows OpenSSF Scorecard score: https://scorecard.dev/viewer/?uri=github.com/python/cpython

@AA-Turner
Copy link
Member

I'm sceptical of the value proposition here, it seems to mainly be promoting the 'scorecard' programme through adding (another) badge to the README. The Python project has long-established security practices, which we should probably draw more attention to than a somewhat arbitrary 'score' from 0-10.

cc @sethmlarson as a resident security expert.

A

@alex-semenyuk
Copy link
Contributor Author

I'm sceptical of the value proposition here, it seems to mainly be promoting the 'scorecard' programme through adding (another) badge to the README. The Python project has long-established security practices, which we should probably draw more attention to than a somewhat arbitrary 'score' from 0-10.

cc @sethmlarson as a resident security expert.

A

Value is not at score itself but at issues which needs to be addressed

Btw these are issues which need to be addressed https://scorecard.dev/viewer/?uri=github.com/python/cpython

@sethmlarson
Copy link
Contributor

I'm a -1 on adopting this as a workflow that needs to be maintained and the results which need to be handled by some ambiguous "someone".

Scorecard can be run by anyone as a CLI and then if that someone cares and has the time to fix the issues they can do so. Any work that gets done can be documented with justifications so it's not undone later.

This approach means the work is owned by someone and we're not simply creating more work to do while crossing our fingers that it gets done (by volunteers). This also means one less workflow to run and maintain on our CI which I understand to already be quite busy.

@AA-Turner AA-Turner closed this Feb 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants