**Feature request: Enable OpenSSF Scorecard for continuous supply chain security assessment** #672
Description
What would you like to be added:
Enable OpenSSF Scorecard for the dive repository by integrating the OpenSSF Scorecard GitHub Action and publishing the results (for example, via a Scorecard badge and scheduled CI runs). This would allow continuous, automated evaluation of the project’s security posture.
Why is this needed:
OpenSSF Scorecard is widely used by downstream users, Linux distributions, and security teams to assess the supply-chain security maturity of open source projects.
A recent manual run of Scorecard against wagoodman/dive results in an aggregate score of 4.9 / 10, with several checks indicating missing or improvable security controls (e.g., Security Policy, Signed Releases, SAST, Fuzzing, Token Permissions, and pinned dependencies). Enabling Scorecard in CI would:
- Provide continuous visibility into security best practices and regressions.
- Help prioritize and track remediation efforts over time.
- Increase trust and adoption among users who rely on Scorecard signals for dependency risk assessment.
- Align
divewith OpenSSF and SLSA-aligned best practices.
Additional context:
- Several checks already score well (License, Contributors, Dangerous Workflow, Dependency Update Tool), indicating a strong foundation.
- Automating Scorecard runs (e.g., weekly or on push) would eliminate the need for ad-hoc manual scans.
- Command used to generate the current Scorecard report:
docker run -e GITHUB_AUTH_TOKEN=${GITHUB_AUTH_TOKEN} \ gcr.io/openssf/scorecard:stable \ --show-details \ --repo=https://github.com/wagoodman/dive