hin the Security tab forever and also no need for them to be
> rechecked by maintainers regularly. Then there's also the issue of
> what's effectively false-positives (see below) which further distract
> from whatever benefit to the automated scan there might be in the first
&g
Tyson,
Could you expand on that? It isn't obvious from your comment, and I'm
> curious about this initiative at Google.
>
>
> 1. How many hours a week do you spend working for Google/Alphabet,
> roughly? (e.g., averaged over the last month)
> 2. How many hours a week do you spend working for the O
Hey Jordan,
The tool is only meant to be informative regarding the project's
supply-chain security posture and gives actionable suggestions on how it
can be improved. However, it doesn't create issues, bug maintainers and
volunteers with notifications/emails, or make any assumptions regarding
main
I've made this suggestion as issue #9778 (
https://github.com/php/php-src/issues/9778) and PR # 9789 (
https://github.com/php/php-src/pull/9789), but have been invited by
@damianwadley to bring it to the mailing list.
The Scorecards GitHub Action basically keeps an eye on a repo's security
posture