Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADR policy for adoption of OSSF Scorecard #298

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ADR policy for adoption of OSSF Scorecard #298

wants to merge 1 commit into from

Conversation

inigomarquinez
Copy link
Member

@inigomarquinez inigomarquinez commented Oct 30, 2024
edited by UlisesGascon
Loading

Policy on adoption of OSSF Scorecard for Express repositories

  • Establishes policy for adoptin OSSF Scorecard in Express organization
  • Explains the benefits of adding this tooling.
  • Documents the rationale, alternatives considered, and implementation plan.

Related to expressjs/security-wg#2

cc: @expressjs/security-wg @expressjs/express-tc

UlisesGascon
UlisesGascon approved these changes Oct 30, 2024
View reviewed changes
Copy link
Member

@UlisesGascon UlisesGascon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will add other PRs to define in details things that are related to this initiative like the dependabot policy (if we agree on it), or how the security-wg will review this, etc... but we didn't want to block the initiative due implementation details.

docs/adr/adr-xxx-adoption-of-ossf-scorecard-for-express.md
@@ -0,0 +1,61 @@
# ADR XXX: Adoption of OSSF Scorecard for Express
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we will define this when landing it.

@UlisesGascon UlisesGascon self-assigned this Oct 30, 2024
@jonchurch jonchurch added the ADR label Nov 2, 2024
UlisesGascon
UlisesGascon reviewed Dec 20, 2024
View reviewed changes
docs/adr/adr-xxx-adoption-of-ossf-scorecard-for-express.md
Comment on lines +28 to +29
### Exclusions
- We will not utilize the Step-Security auto-suggestion feature for PRs at this time, opting instead for manually curated and reviewed PRs. This will allow the security team to gradually onboard contributors and assess each change carefully.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am rethinking on this approach, I will revisit this after the holidays.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@UlisesGascon UlisesGascon UlisesGascon approved these changes

@bjohansebas bjohansebas bjohansebas approved these changes

@carpasse carpasse carpasse approved these changes

Assignees

@UlisesGascon UlisesGascon

Labels
ADR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@inigomarquinez @carpasse @UlisesGascon @bjohansebas @jonchurch