Enable OpenSSF Scorecard Github Action and Badge

[joycebrum]

Hi, I am Joyce and I'm working on behalf of Google and the Open Source Security Foundation (OpenSSF) to help essential open-source projects improve their supply-chain security.

I would like to suggest the adoption of an OpenSSF, in partnership with GitHub, tool called Scorecard. It runs dozens of automated security checks to help maintainer to better understand their project's supply-chain security posture.

To make it easier to use the Scorecard, the OpenSSF has also developed the Scorecard Github Action, which runs the scorecard checks on every push on the main branch and make the result avaiable in the security dashboard, also with proposed solutions (see examples below).

Although the Julia project already scored a great score on the security checks, there are some checks that would be interesting to work on and also the action would help to guarantee that the already followed ones would still be followed.

Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.

In case of doubts or concerns you can try to check Scorecards FAQ. Anyway, feel free to reach me out.

[Keno]

I'm not opposed to this, but I am somewhat worried about the practical details of putting up the scorecard number. The checks seem generally useful, but some of the checks are not applicable to us or are unlikely to be detected by an automated tool (for example, we run custom static analysis over our source code, but there isn't really a way for the tool to know that). Some of the others are just not particularly applicable. For example, we could enable dependabot, but it wouldn't do anything. Is there a way to configure which checks to run? I understand that the badge might not be applicable, but I think the checks are more useful than the badge-signaling. Once you put up a badge, people will just start endlessly arguing about it.

[joycebrum]

Hi @Keno, it is not usual that people question about any of the checks and it is expected that in some cases there will be checks that are not applicable, you should not worry about it. The users are most worried about the overall security posture of the project. Besides, the Julia project's score is actually great, being in the top 9.6%.

But sure, if you rather enable only the checks and not the badge, it can be done easily. The checks would be shown in the security dashboard and the ones you think are not applicable you can ignore. The checks are in continous improvement by the Scorecard team and I'll share your feedback with them!

I see that the checks you could work on are Branch Protection, CII Best Practices, Fuzzing and Pinned Dependencies. All of them could be good to be adopted by the project.

Besides, the action is just as easy to disable than it is to enable, if you want to give it a "try".