Determine Sub-Scores for Scorecard Results of this Repo and Assess if Any Actions Should Be Taken

[jspeed-meyers]

These is now a Scorecard score on the README. I'd be curious to run the tool on this repo and assess what the different sub-scores are. Additionally, I'd be curious if there is anything this project could do to improve the scores and, finally, if any of those possible actions are "worth" it.

[jspeed-meyers]

The results of Scorecard for this repo can be viewed in a UI here.

[jspeed-meyers]

One of the low-hanging fruit appears to be adding a SECURITY.md file. I've done that in PR #195. Feedback welcome.

[jspeed-meyers]

https://github.com/stacklok/frizbee could could be useful for pinning the versions of the GitHub Actions.

[jspeed-meyers]

PR #206 is yet another small step in pursuing a higher OpenSSF Scorecards score.

[jspeed-meyers]

The next step is to work on reducing the permissions of the GitHub Actions to read-only.

[jspeed-meyers]

Some relevant documentation related to oss-fuzz: https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/

[jspeed-meyers]

Related to assessing GitHub Actions, this tool might be helpful: https://github.com/woodruffw/zizmor

[jspeed-meyers]

I wonder if I should add this: https://google.github.io/osv-scanner/github-action/#scan-on-pull-request