Implementing OSSF Scorecard #2
Comments
Go for it. And if it makes it amy easier you are always welcome to start with any of the smaller, simplier middleware repos. |
|
Good afternoon! I've had a chat with @UlisesGascon to tell him that I am interested in contributing to this initiative, as the OpenSSF Scorecard is something that I like and that I have also helped to implement in the Open Source community of the company where I work. |
|
Yeah! Welcome aboard @inigomarquinez 🎉 |
|
Good Morning! I've also had a chat with @UlisesGascon and I am interested in contributing to this initiative too. |
|
As discussed with @inigomarquinez, he will champion this initiative 🎉 |
|
Thanks for the opportunity @UlisesGascon ! |
|
Looks like some of them are broken. maybe @carpasse or @inigomarquinez, do you have time to look into it? https://github.com/jshttp/http-errors/actions/runs/11797478580/job/32861554162 |
|
@wesleytodd I will try to take a look at the broken ones this week. |
|
@wesleytodd , could you please review the PR for HTTP Errors and merged if you are ok with it? I looked into the issue with @UlisesGascon , and it’s not failing due to a problem with the code itself but because it can’t obtain the certificate needed to publish the results (link). This issue seems to be outside the control of the GitHub Actions. I was hoping that updating the scorecard action dependency might "fix" it. |
|
Ah, just seeing this after checking the previous notification for updating. Sorry if that comment is not necessary now. Anyway, if this is a way to unblock those from failing I am good merging them, but we should work on a non-distributed way to manage these. Maybe have a shared workflow we update in one place? |
one of the plan I have (and will be starting soon) is to centralize all workflows - allowing full reusability across all projects :D |
|
Actually, I started to experiment running the analysis in a DIY mode with the official Docker Image in VisionBoard and seems like maybe it will replace some of this CI overhead ref. I am checking with the Scorecard maintainers if there is a way also to report this info back to the official API (that is the only piece missing with this new approach for now). |
Some time ago, we implemented the monitoring and review of the OSSF scorecard in the Node.js org, and it significantly contributed to the improvement of many repositories. I believe adopting a similar approach for Express would be highly beneficial. We've developed tools, such as the OpenSSF Scorecard Monitor and OpenSSF Scorecard Visualizer, along with processes that make handling the evolution of scoring straightforward. Despite initial appearances, the process is quite simple.
Context
Resources
Next Steps:
I'm enthusiastic about leading these changes in the repos. While we may not be familiar with the OSSF Scorecard, we already have scores for most of our projects. Here is a simple dashboard that I auto-generated. The OSSF team is already tracking our projects using a CRON job, but we can easily enrich them and make some simple patches to increase the scoring.
Most of these changes won't require significant alterations and can be performed in isolated PRs, making them easy to review. If we're in agreement, I can start with the Express project to showcase the process. 👍
The text was updated successfully, but these errors were encountered: