docs: Add OpenSSF Scorecard status badge to README.md

[redenferno]

Created OpenSSF Scorecard badge for project README.

Motivation

This was requested by @agilgur5 as part of #9769

Verification

[terrytangyuan]

I am in for less badges unless really needed

[agilgur5]

@terrytangyuan generally I am agreed on that.

In this case, this is specifically for the CNCF CLOMonitor, for which #9769 is a tracking issue. That issue was from last year's CNCF Security Slam, which will start up again this year in around ~2 weeks (I'm planning on working on SLSA Level 3 and 4, as discussed in SIG Security yesterday).

We are missing two badges for CLOMonitor, this is one of them. Although the OpenSSF Scorecard also requires running in CI, which we don't currently do as far as I know, so I think this badge is using an old result(?) or something.

As CLOMonitor is a metric CNCF highlights for supply chain security, I think it would be good to bring our score up and in line with CD.

[agilgur5]

@redenferno have you worked on setting up the scorecard action? Without that the badge is a bit premature

If you haven't, I was planning to pick it up simultaneously with SLSA in October

[terrytangyuan]

Thanks

[eddie-knight]

@redenferno have you worked on setting up the scorecard action? Without that the badge is a bit premature

If you haven't, I was planning to pick it up simultaneously with SLSA in October

FYI @agilgur5, the Scorecard score presented in the badge will be accurate to the last weekly cron job (Google sponsors a scan of over a million repos every week, including this one).

The GitHub Action can serve to increase the precision by updating the score whenever new code is merged, but it isn't a prerequisite for the badge.

[agilgur5]

FYI @agilgur5, the Scorecard score presented in the badge will be accurate to the last weekly cron job (Google sponsors a scan of over a million repos every week, including this one).

Oh I didn't know that, thanks for the context!
Could you link to a source for this? like docs from OpenSSF or the repo for this cron job?

[eddie-knight]

I didn't find anything in the docs yet, but I know this because the maintainers made sure it was included in the LF Course on the topic. They probably should add it to the docs more clearly.

Here is confirmation from the BigQuery data that argo workflows is included in the cron:

[agilgur5]

Ah I found it. There are docs on this in the "Public Data" section of the scorecard README. It links to a CSV in the repo of all projects tracked as well (though it's ~70mb so it can be difficult to load 😅 ). I believe the cron directory that the CSV is in has the code for the cron job as well.