Proposal

Hello, I'm working on behalf of Google and the Open Source Security Foundation to help essential open source projects improve their supply-chain security. Given prometheus’ importance to monitoring and alerting, we'd like to recommend an improvement to the projects security posture.

Would you consider adopting an OpenSSF tool called Scorecards? Scorecards runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, in partnership with GitHub.

I see prometheus’ already follows security best practices, such as cryptographic release signing and CI/CD through CircleCI. Adding Scorecards could help ensure other best practices, such as the usage of Token Permissions mentioned in #11285.

The Scorecard GitHub Action is very lightweight and runs on each change to the repository. The results of its checks are available on to the project's security dashboard, and include suggestions on how to solve any issues (see examples below). Over 1600 projects have added the action already.

Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.

Examples