Description
Feature or enhancement
Add the OpenSSF Scorecard GitHub Action, which performs dozens of automated checks to ensure the project's security posture is solid. The Scorecard is a form of project "meta analysis"; it doesn't detect vulnerabilities in your code, but instead makes sure your settings and security features are following the best practices to minimize the risk of vulnerabilities.
Pitch
Supply-chain attacks are on the rise. Given Python's self-evident importance to the FOSS ecosystem, the OpenSSF has declared CPython one of the most important open-source projects.
The OpenSSF has developed the Scorecard system and accompanying GitHub Action to validate a project's security posture and suggest actionable suggestions (added to the project's security dashboard). And indeed, Scorecards was how the need for #92999 was detected, for instance.
The Action runs on every push to main and lets maintainers know if there's a misstep that weakened the project's security.
Would you be interested in a PR to add this workflow?
If you have any questions, check out the Scorecards FAQ or just ask me!
Disclaimer
I work for Google (an OpenSSF founding member), working full-time to help open-source maintainers improve their projects' security.
