Ruby » Ruby master

Hi, I am Joyce and I'm working on behalf of Google and the Open Source Security Foundation to help essential open-source projects improve their supply-chain security.

Would you consider adopting an OpenSSF tool called Scorecards? Scorecards runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, in partnership with GitHub.

Considering how Ruby project is largely used, it is important to guarantee a good security posture for the project. The scorecard tool can help you on identifying what are the security practices that would improve the project's supply-chain security and what you have to do to accomplish them.

To simplify maintainers' lives, the OpenSSF has also developed the Scorecard GitHub Action. It is very lightweight and runs on every change to the repository's main branch. The results of its checks are available on the project's security dashboard, and include suggestions on how to solve any issues (some examples are attached). The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already, having some prominent users like Tensorflow, Angular, Flutter, sos.dev and deps.dev.

Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.

In case of doubts or concerns you can try to check Scorecards FAQ or just reach out to me.