Donate openssf-scorecard-monitor ecosystem

[UlisesGascon]

@justaugustus suggested that we donate the project, and we started the process some time ago 🙂

The openssf-scorecard-monitor is a GitHub action that allows you to track the OpenSSF Scorecard in your organization and dependencies with automated markdown and JSON reports, plus optional GitHub issue alerts and many other cool features.

This tool is currently used by several organizations. For example, in the Node.js Security Working Group, we use it to monitor key projects in our regular meetings. Here is the report that we use.

@KoolTheba, who is also a co-maintainer, is very happy with the idea and interested in donating the comparator and visualizer tool that we use in the reports called openssf-scorecard-api-visualizer.

I had the opportunity to work closely with some of you in the last months, and I am super excited to team up 🙌.

I wanted to create this issue to add more visibility to the donation and open the discussion to other maintainers interested in helping us with the process.

What are our next steps? 🚀

[justaugustus]

@UlisesGascon -- my apologies for letting this linger!

I'm going to run down the donation next steps starting early next week.

[UlisesGascon]

Thanks @justaugustus! Looking forward for it! 🙌

[github-actions]

Stale issue message

[UlisesGascon]

ping @justaugustus 🙂

[justaugustus]

@UlisesGascon -- I've opened a request with our WG to discuss the donation: ossf/wg-best-practices-os-developers#238

Sorry again for the wait!

[UlisesGascon]

Thanks a lot @justaugustus! :)

[github-actions]

This issue is stale because it has been open for 60 days with no activity.

[justaugustus]

Reflecting the license scan results from ossf/wg-best-practices-os-developers#238 (comment) here as well:

`###

LICENSE INTAKE SCAN & ANALYSIS: OpenSSF: openssf-scorecard-monitor

* This intake scan is a static analysis of the source code in your repository.  A dependency scan was not performed.  Once a project is added to LFX [https://security.lfx.linuxfoundation.org], you can use SNYK to view a dependency scan for both licenses and vulnerabilities.

CODE SCANNED: [pulled 01–Dec-2023]

* https://github.com/UlisesGascon/openssf-scorecard-monitor

PROJECT LICENSE: MIT

* Top level project license file found.

SPDX LICENSE IDENTIFIERS: SPDX license identifiers were not found in any source file headers.

* I recommend that SPDX license identifiers be added to ALL source file headers.  [see https://spdx.dev/learn/handling-license-info for examples]

PERMISSIVE LICENSES: MIT, Apache-2.0, BSD-3-Clause

COPYLEFT LICENSES: None found

PROPRIETARY LICENSES: None found

LICENSE CONFLICTS: None found

BINARY / PACKAGE FILES: None found

THIRD PARTY CODE / DEPENDENCIES: Dependecies were found in package.json files. These dependencies were not scanned, and any potential license conflicts from them are not identified here.

* https://github.com/UlisesGascon/openssf-scorecard-monitor/blob/main/package.json

* https://github.com/UlisesGascon/openssf-scorecard-monitor/blob/main/package-lock.json

THIRD PARTY NOTICE FILE: None found

SUMMARY FINDINGS: The code is licensed under the MIT license, which is the project license. SPDX license identifiers were not found and should be added to all source file headers. No license conflicts found.

LICENSE INTAKE SCAN & ANALYSIS: OpenSSF: openssf-scorecard-api-visualizer

* This intake scan is a static analysis of the source code in your repository.  A dependency scan was not performed.  Once a project is added to LFX [https://security.lfx.linuxfoundation.org], you can use SNYK to view a dependency scan for both licenses and vulnerabilities.

CODE SCANNED: [pulled 01–Dec-2023]

* https://github.com/KoolTheba/openssf-scorecard-api-visualizer

PROJECT LICENSE: Apache-2.0

* Top level project license file found.

SPDX LICENSE IDENTIFIERS: SPDX license identifiers were not found in any source file headers.

* I recommend that SPDX license identifiers be added to ALL source file headers.  [see https://spdx.dev/learn/handling-license-info for examples]

PERMISSIVE LICENSES: Apache-2.0

COPYLEFT LICENSES: None found

PROPRIETARY LICENSES: None found

LICENSE CONFLICTS: None found

BINARY / PACKAGE FILES: None found

THIRD PARTY CODE / DEPENDENCIES: Dependecies were found in package.json files. These dependencies were not scanned, and any potential license conflicts from them are not identified here.

* https://github.com/KoolTheba/openssf-scorecard-api-visualizer/blob/main/package.json

* https://github.com/KoolTheba/openssf-scorecard-api-visualizer/blob/main/package-lock.json

THIRD PARTY NOTICE FILE: None found

SUMMARY FINDINGS: The code is licensed under the Apache-2.0 license, which is the project license. SPDX license identifiers were not found and should be added to all source file headers. No license conflicts found.

`

[justaugustus]

This is complete with ossf/scorecard-monitor#79.
Welcome to the OpenSSF Scorecard project, @UlisesGascon and @KoolTheba!