Proposal: Align Scorecard checks with S2C2F Maturity Level 2 requirements

[adriandiglio]

The OpenSSF has a large portfolio of specifications and tools, and we would like to partner with various tools, specifications, and communities across OpenSSF to work together so we are all marching in the same direction. The S2C2F is a specification for securely consuming and managing open source in any software project. Scorecard is a tool used by both producers and consumers of open source to help perform security checks, and already has overlap with 5 S2C2F requirements.

Describe the solution you'd like
We should explore opportunities for Scorecard and S2C2F to more closely align. An idea for how such an alignment could benefit Scorecard consumers is to see an "S2C2F Maturity Level 2 compliance badge" in addition to the score that's already produced for a specific component, which could add valuable context to help consumers make judgements on the OSS they are considering taking a dependency on.

Describe alternatives you've considered
We've considered building our own tool to produce an S2C2F attestation (https://github.com/ossf/S2C2F-attestation-schema-and-tool), but are pivoting towards the approach of working with existing tooling across OpenSSF.

[github-actions]

This issue has been marked stale because it has been open for 60 days with no activity.