Meet the best practice criteria of CNCF (CLOmonitor)

[FeynmanZhou]

CNCF CLOMonitor is a tool that periodically checks open source projects repositories to verify they meet certain project health best practices. Ratify scores 89 on CLOMonitor. But there are a few failed items evaluated by CLOMonitor. We could fix these items to get a higher score and improve the security posture of Ratify project.

Security

• Dependencies policy: The project provides a policy that describes how dependencies are consumed and updated check docs
• Security insights: The project provides an OpenSSF Security Insights manifest file check docs
• Signed releases: The project cryptographically signs release artifacts check docs

Best practice and license check

• Summary Table: Projects should provide some information for the Landscape Summary Table check docs
• License scanning: scans and automatically identifies, manages and addresses open source licensing issues check docs
• Artifact Hub badge: Projects can list their content on Artifact Hub to improve their discoverability check docs
• ratify-web repo: The project should have released at least one version in the last year. Keep regular release each year.