Improve Scorecard score for in-toto-golang

[viveksahu26]

Description of the feature request:

To improve the OpenSSF scorecard for in-toto-golang.
The current score is 5.4/10 as on 2023-11-13
This score is static, so to continuously updating the score requires a workflow.

Solution description
We need to work on each area to analyze where the score has dropped and how we can improve upon it! The following steps are:

• CI Test
• CII Best Practices
• Contributors
• License
• Code Review
• Fuzzing test
• Packaging
• Pinned Dependencies
• SAST
• Security Policy
• Binary Artifact
• Branch protection
• Dependency Update Tool
• Maintained
• Signed Release
• Token Permission
• Vulnerabilities
• Dangerous Workflow
• Webhooks

Scorecard Result Detail
Current Score: 5.4/10

SCORE	NAME	REASON	DETAILS	DOCS
10	Maintained	30 commit(s) out of 30 and 2 issue activity out of 30 found in the last 90 days -- score normalized to 10	null	https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#maintained"
10	Code-Review	all changesets reviewed	null	https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#code-review
0	CII-Best-Practices	no effort to earn an OpenSSF best practices badge detected	null	https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#cii-best-practices
9	License	license file detected.	Warn: project license file does not contain an FSF or OSI license.","Info: License file found in expected location: LICENSE:1	https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#license
-1	Signed-Releases	no releases found	"Warn: no GitHub releases found"	https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#signed-releases
0	Branch-Protection	branch protection not enabled on development/release branches.	"Warn: branch protection not enabled for branch 'master'	https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#branch-protection
-1	Packaging	packaging workflow not detected.	"Warn: no GitHub/GitLab publishing workflow detected.	https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#packaging
0	Token-Permissions	detected GitHub workflow tokens with excessive permissions.	Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/lint.yml:1","Warn: no topLevel permission defined: .github/workflows/verify-docgen-fmt.yml:1","Info: no jobLevel write permissions found"	https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#token-permissions
10	Dangerous-Workflow	no dangerous workflow patterns detected	null	https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#dangerous-workflow
9	Binary-Artifacts	binaries present in source code	Warn: binary detected: test/data/helloworld:1	https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#binary-artifacts
0	Fuzzing	project is not fuzzed	Warn: no OSSFuzz integration found, Warn: no GoBuiltInFuzzer integration found	https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#fuzzing
3	Pinned-Dependencies	dependency not pinned by hash detected	Warn: containerImage not pinned by hash: Dockerfile:3","Warn: containerImage not pinned by hash: Dockerfile:12","Warn: containerImage not pinned by hash: Dockerfile:16: pin your Docker image by updating gcr.io/distroless/base to gcr.io/distroless/base@sha256:b31a6e02605827e77b7ebb82a0ac9669ec51091edd62c2c076175e05556f4ab9","Warn: goCommand not pinned by hash: .github/workflows/build.yml:27","Info: 7 out of 7 GitHub-owned GitHubAction dependencies pinned","Info: 1 out of 1 third-party GitHubAction dependencies pinned","Info: 0 out of 3 containerImage dependencies pinned","Info: 0 out of 1 goCommand dependencies pinned"	https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#pinned-dependencies
0	Security-Policy	security policy file not detected	Warn: no security policy file detected"	https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#security-policy
10	Vulnerabilities	0 existing vulnerabilities detected	null	https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#vulnerabilities
0	SAST	SAST tool is not run on all commits	Warn: CodeQL tool not installed","Warn: 0 commits out of 30 are checked with a SAST tool	https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#sast

\en

[viveksahu26]

To see the full details of current score: https://api.securityscorecards.dev/projects/github.com/in-toto/in-toto-golang