Hi, I’m Pedro and I’m working with Google and the Open Source Security Foundation (OpenSSF) to help open-source projects improve their supply-chain security. Given Rails’ widespread use, the OpenSSF has named it one of the 100 most important open-source projects.
I’d like to suggest adding the OpenSSF Scorecard to Rails via the Scorecard GitHub Action. The Scorecard performs a sort of “meta analysis” of a project’s security posture via multiple checks on things such as repo settings and workflow definitions to ensure that the project is following best practices whenever possible. If any regressions are detected, they are sent to the Security Dashboard along with objective instructions on how they can be handled.
I was happy to see that Rails has already interacted with the OpenSSF in the past: you’re on the OpenSSF (formerly CII) Best Practices program and the suggestions in #45150 were based off the Scorecard.
If you’d be interested in a PR to add the Action, let me know!