lxml

Add OpenSSF Scorecard workflow

Bug #2025378 reported by Pedro Kaj Kjellerup Nacht on 2023-06-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	lxml	New	Undecided	Unassigned

Bug Description

Hey, it's Pedro and I'm back (see [1] and [2]) and I've got another security suggestion for lxml!

I'd like to suggest that the project add the OpenSSF Scorecard Action [3]. The OpenSSF Scorecard runs a "meta-analysis" of the project's security posture, and the Action then populates the project's Security Panel [4] with possible improvements to its security posture.

This data is fetched via GitHub's public API, and the project's current score can already be seen in [5]. It's currently a 7.1/10, which puts lxml at the top 10% of relevant projects.

It was through Scorecard that I detected the issues fixed in the linked PRs. The Action would simply do the same thing, letting you know if there's anything you can do to improve lxml's security. The Security Panel notifications include not only the reasoning for each check's score (as seen in [5]), but also remediation steps.

I'll send a PR along with this issue to implement the workflow.

[1]: https://github.com/lxml/lxml/pull/369
[2]: https://github.com/lxml/lxml/pull/372
[3]: https://github.com/ossf/scorecard-action
[4]: https://github.com/lxml/lxml/security
[5]: https://securityscorecards.dev/viewer/?uri=github.com/lxml%2Flxml

Revision history for this message

Pedro Kaj Kjellerup Nacht (pnacht) wrote on 2023-09-04:

Please let me know if there's interest for this tool. If not, feel free to close!

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.