Re: [PHP-DEV] Adding the OpenSSF Scorecards GitHub Action

2022-10-28 Thread Pedro Nacht via internals
hin the Security tab forever and also no need for them to be > rechecked by maintainers regularly. Then there's also the issue of > what's effectively false-positives (see below) which further distract > from whatever benefit to the automated scan there might be in the first &g

Re: [PHP-DEV] Adding the OpenSSF Scorecards GitHub Action

2022-10-27 Thread Pedro Nacht via internals
Tyson, Could you expand on that? It isn't obvious from your comment, and I'm > curious about this initiative at Google. > > > 1. How many hours a week do you spend working for Google/Alphabet, > roughly? (e.g., averaged over the last month) > 2. How many hours a week do you spend working for the O

Re: [PHP-DEV] Adding the OpenSSF Scorecards GitHub Action

2022-10-24 Thread Pedro Nacht via internals
Hey Jordan, The tool is only meant to be informative regarding the project's supply-chain security posture and gives actionable suggestions on how it can be improved. However, it doesn't create issues, bug maintainers and volunteers with notifications/emails, or make any assumptions regarding main

[PHP-DEV] Adding the OpenSSF Scorecards GitHub Action

2022-10-20 Thread Pedro Nacht via internals
I've made this suggestion as issue #9778 ( https://github.com/php/php-src/issues/9778) and PR # 9789 ( https://github.com/php/php-src/pull/9789), but have been invited by @damianwadley to bring it to the mailing list. The Scorecards GitHub Action basically keeps an eye on a repo's security posture