Add section for OpenSSF Best Practices Badge criteria

[david-a-wheeler]

The OpenSSF Best Practices Badge project has a set of criteria. It'd be really helpful if SECURITY-INSIGHTS could report which criteria they believe the project meets, and why.

I propose adding a new header, e.g.:

openssf-bp-badge:

From there:

1. Keys inside this header would match the criteria ID in the OpenSSF badge, e.g., crypto_published would match that criterion. That criterion is "The software produced by the project MUST use, by default, only cryptographic protocols and algorithms that are publicly published and reviewed by experts (if cryptographic protocols and algorithms are used)." In the best practices badge, some criteria are "SHOULD" at lower tiers (like "passing") and become "MUST" at higher tiers (like "silver" or "gold"), but since the goal is to simply capture their values, I don't think we need to capture the claimed tier inside SECURITY-INSIGHTS. You can see the full set of criteria for all tiers in English, and from that quickly derive all current criteria names.
2. Inside each of those keys would be two values, 'status' and 'justification'. The 'status' would be a string with one of the following values: "Met", "Unmet", "?", or "N/A". The optional 'justification' string would be a textual justification in markdown format.

I did a mapping between the OpenSSF Best Practices badge and SECURITY-INSIGHTS. Currently very little of the best practices badge is captured by SECURITY-INSIGHTS. This one change would switch from very little coverage to full coverage.

@eddie-knight - this was the idea I proposed earlier. This would make it much easier to round-trip data between the best practices badge & SECURITY-INSIGHTS, helping both.

[david-a-wheeler]

@SecurityCRob - I mentioned this earlier, I think this would be an easy way to help integrate these two projects.