logback / LOGBACK-1708 [Open] Add the OpenSSF Scorecards GitHub Action ============================== Here's what changed in this issue in the last few minutes. This issue has been created This issue is now assigned to you. View or comment on issue using this link https://jira.qos.ch/browse/LOGBACK-1708 ============================== Issue created ------------------------------ Pedro Kaj Kjellerup Nacht created this issue on 22/Nov/22 3:50 PM Summary: Add the OpenSSF Scorecards GitHub Action Issue Type: Improvement Assignee: Logback dev list Attachments: sc-gha-example.png Created: 22/Nov/22 3:50 PM Labels: security Priority: Major Reporter: Pedro Kaj Kjellerup Nacht Description: There's been a large increase in [supply-chain attacks|https://www.sonatype.com/state-of-the-software-supply-chain/introduction]. The [OpenSSF|https://openssf.org/] defined logback as one of the most important open-source projects, and has developed the [Scorecards|https://github.com/ossf/scorecard] system to help projects detect how they can improve their security posture. This is done via a series of [checks|https://github.com/ossf/scorecard#scorecard-checks] of repository settings, workflow definitions, etc. The OpenSSF has also released the [Scorecards GitHub Action|https://github.com/ossf/scorecard-action], which automates these checks. If any possible improvements are detected, they are sent to the project's security dashboard, along with actionable instructions for how to implement these changes (see image attached). Would there be interest in a PR to implement this Action? Disclaimer: I work for Google (an OpenSSF founding member), where my full-time role is to help open-source maintainers improve their security.   ============================== This message was sent by Atlassian Jira (v8.8.0#808000-sha1:e2c7e59)