[#39014] - Feature: Add Scorecards for security checks
- Closed
- 6 Nov 2022
- Medium
- Build: .
- # 39014
Proposal
Hello! I'm Gabriela and Google hired me to help essential open-source projects improve their supply-chain security. My role is to reach out to projects like yours and see if I can offer my time and help to secure your project, since it’s considered critical to the open source ecosystem. I see joomla-cms already follows some security best practices, such as automated flows to update dependencies, and that's great!
To build on that, I’d like to suggest a tool called Scorecards. Scorecards’ goal is to make maintainers aware of possible supply-chain security issues. This includes keeping dependencies updated to protect against vulnerabilities and guaranteeing that binary files are not present in source code, since they are targets for attacks. Scorecards runs these automated security checks and reports the results to the repository's security dashboard. There are tips for remediating any issues, which I can also help with!
If you would like to add Scorecards, let me know! I can open a PR. If not, are there any other security efforts I can help you with?
| Labels |
Removed:
?
|
||
joomla-cms-bot
- | Labels |
Added:
No Code Attached Yet
|
||
Thank you for the offer, we will discuss it in the team and contact you.
chmst
- | Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-11-06 07:54:37 |
| Closed_By | ⇒ | chmst |
When the American billion-dollar corporation Google hires people to offer help to open source projects and these people mention Google in the introductory sentence as if it were a seal of approval, I am exclusively sceptical. Apart from that, I don't see anything on the Scorecard site that I think would be helpful for Joomla developers. Except another tool that praises itself to the skies and produces automated noise.
Of course, it's not up to me to decide.