non-exhaustive list of checks to implement: - [ ] Has own project github organization - [ ] Has .github repo - [ ] Has .github/SECURITY.md file - [ ] Uses otterdog - [ ] Has default-security-policy blueprint - [ ] Has add-dot-github-repo blueprint - [ ] Number of commits ~1y - [ ] Number of commit authors ~1y - [ ] Number of repositories - [ ] Number of inactive repositories - [x] Number of EF committers - [ ] Number of inactive EF comitters - [ ] Number of members in EF security team - [ ] Is GitHub Private Vulnerability Reporting Enabled - [ ] Number of vulnerability reports ~6m - [ ] Number of Reports - [ ] Number of CVEs - [ ] Is Dependabot Security Alerts Enabled - [ ] Number of Security Alerts resolved - [ ] Number of Security Alerts unresolved - [ ] Number of Security Alerts Critical - [ ] Number of Security Alerts High - [ ] Is automated SBOM generation enabled - [ ] Outdated dependencies by time - [ ] Secret Scanning - [ ] ECA validation - [ ] Number of releases ~1y - [ ] Uses automated CI (GHA, Jenkins, Gitlab) - [ ] Zizmor result - [ ] Openssf Scorecard result
non-exhaustive list of checks to implement: