Description
Summary
Today, there is no way for consumer of individual actions to determine its trustworthiness and quality, other than analyzing whether it comes from a verified creator. Enterprises have been asking for actions that follow standards (e.g: CodeQL, timely dependency updates, etc.).
When this work is complete, we will automatically run checks on repositories hosting published Actions to determine if the repository where the Action is hosted follows security best practices. We use a subset of OpenSSF (Open Source Security Foundation) scorecard checks to make this determination and publish that metadata as part of the Action listing page and details.
Intended Outcome
We are building this to continue our credibility with customers that GitHub is serious about security. With 17K actions on the Marketplace and more getting added every day, it's imperative that we surface the necessary metadata for consumers to be able to make decisions about what actions they can rely on.
How will it work?
Whenever there's a state change in a repository (based on certain rules) a dynamic workflow is kicked off to run the checks. The results from the scoring are then surfaced on to the listing page. Since it's a new change, once we go GA, we will give action creators a grace period to make any desired changes, after which the results will be automatically published to the listing details page. New actions authored and published after the GA date will automatically get graded.
These checks against a repository that's hosting the action will evaluate holistic security practices, source risk assessment and build risk assessment.
Metadata
Assignees
Type
Projects
Status
Future
Activity