Where is it defined which projects are accessible via securityscorecards.dev

[tuminoid]

Hello from Metal3! We are CNCF sandbox project, moving to incubation soon. We've added our repositories in the CNCF CLOmonitor, which checks if the OpenSSF Scorecard badge is displayed in the README. For one of our repos, we cannot add the badge as it is not available via securityscorecards.dev

I did not find where the list of projects available is defined. Is it possible to get a project added for scanning so we can display the badge? We do our own scans via the CLI, and CNCF is scanning us as well, but we just can't display the badge for this repo.

[spencerschrock]

The API will have your data in one of two ways:

1. Part of the weekly scan. This list is defined here, and would involve sending a PR to us to add it (just append it to the end, and make add-projects will insert it alphabetically). Runs once a week on our API quota
2. Add our scorecard action workflow to your repo and ensure publish_results is set. Runs on every commit using your API quota.
   You can see our own workflow of how we configure ours here (or the full instructions here, except some of the version pins will be out of date).
   Note: We no longer recommend specifying a repo_token. (our reasoning is here).

Happy to explain more around the tradeoffs between the two if wanted.

[tuminoid]

Thank you for the guidance. I've opened #3783 to add the rest of our repositories.

[tuminoid]

PR has been contributed and merged. 🙏