René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Add the OpenSSF Scorecard GitHub Action","articleBody":"# Feature or enhancement\r\n\r\nAdd the [OpenSSF][ossf] [Scorecard GitHub Action][sc], which performs dozens of automated [checks][checks] to ensure the project's security posture is solid. The Scorecard is a form of project \"meta analysis\"; it doesn't detect vulnerabilities in your code, but instead makes sure your settings and security features are following the best practices to minimize the risk of vulnerabilities.\r\n\r\n# Pitch\r\n\r\n[Supply-chain attacks][sonatype] are on the rise. Given Python's self-evident importance to the FOSS ecosystem, the OpenSSF has declared CPython one of the most important open-source projects. \r\n\r\nThe OpenSSF has developed the Scorecard system and accompanying GitHub Action to validate a project's security posture and suggest actionable suggestions (added to the project's security dashboard). And indeed, Scorecards was how the need for https://github.com/python/cpython/pull/92999 was detected, for instance.\r\n\r\nThe Action runs on every push to main and lets maintainers know if there's a misstep that weakened the project's security.\r\n\r\nWould you be interested in a PR to add this workflow?\r\n\r\nIf you have any questions, check out the Scorecards [FAQ][faq] or just ask me!\r\n\r\n# Disclaimer\r\n\r\nI work for Google (an OpenSSF founding member), working full-time to help open-source maintainers improve their projects' security.\r\n\r\n![Detail of a Token-Permissions alert, indicating the specific file and remediation steps][img-detail]\r\n\r\n[checks]: https://github.com/ossf/scorecard#scorecard-checks\r\n[faq]: https://github.com/ossf/scorecard/blob/main/docs/faq.md#frequently-asked-questions\r\n[ossf]: https://openssf.org/\r\n[sc]: https://github.com/ossf/scorecard\r\n[sonatype]: https://www.sonatype.com/state-of-the-software-supply-chain/introduction\r\n\r\n[img-detail]: https://user-images.githubusercontent.com/15221358/190184600-ee8d3b39-077e-416a-8711-1b5fb01cf0b3.png\r\n\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-130485\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/pnacht","@type":"Person","name":"pnacht"},"datePublished":"2022-11-21T22:26:45.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":1},"url":"https://github.com/99668/cpython/issues/99668"}