non-exhaustive list of checks to implement: - [x] Has own project github organization - [x] Has .github repo - [x] Has .github/SECURITY.md file - [ ] Uses otterdog - [ ] Has default-security-policy blueprint - [ ] Has add-dot-github-repo blueprint - [x] Number of commits ~1y - [x] Number of commit authors ~1y - [x] Number of repositories - [x] Number of inactive repositories - [x] Number of EF committers - [x] Number of inactive EF comitters - [x] Number of members in EF security team - [x] Is GitHub Private Vulnerability Reporting Enabled - [x] Number of vulnerability reports ~6m - [x] Number of Reports - [x] Number of CVEs - [ ] Is Dependabot Security Alerts Enabled - [ ] Number of Security Alerts resolved - [ ] Number of Security Alerts unresolved - [ ] Number of Security Alerts Critical - [ ] Number of Security Alerts High - [ ] Is automated SBOM generation enabled - [ ] Outdated dependencies by time - [ ] Secret Scanning - [ ] ECA validation - [x] Number of releases ~1y - [ ] Uses automated CI (GHA, Jenkins, Gitlab) - [x] Zizmor result - [x] Openssf Scorecard result
non-exhaustive list of checks to implement: