Skip to content

Commit

Permalink
📖 governance: Add Incubation application submission (#4200)
Browse files Browse the repository at this point in the history
* governance: Add template for project Incubation application
* incubation: Cleanup markuplint warnings
* governance: Draft Incubation application submission
* governance: Update Incubation application submission
* governance: Update Incubation application to include Sandbox reqs

---------

Signed-off-by: Stephen Augustus <[email protected]>
  • Loading branch information
justaugustus authored Oct 3, 2024
1 parent 41f91ed commit 1a5585c
Showing 1 changed file with 89 additions and 0 deletions.
89 changes: 89 additions & 0 deletions governance/openssf_scorecard_incubation_stage.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
# OpenSSF Scorecard — Incubation application

## Project has met all Sandbox requirements

The only Sandbox application requirement that is not listed as part of the Incubation application superset is the matter of project sponsorship.

### Sponsor

Most projects will report to an existing OpenSSF Working Group, although in some cases a project may report directly to the TAC. The project commits to providing quarterly updates on progress to the group they report to.

OpenSSF Scorecard is a project of the Best Practices Working Group.

## List of project maintainers

The project must have a minimum of three maintainers with a minimum of two different organizational affiliations.

- Stephen Augustus, Cisco, [@justaugustus](https://github.com/justaugustus)
- Raghav Kaul, Google, [@raghavkaul](https://github.com/raghavkaul)
- Jeff Mendoza, Kusari, [@jeffmendoza](https://github.com/jeffmendoza)
- Spencer Schrock, Google, [@spencerschrock](https://github.com/spencerschrock)
- Laurent Simon, Independent, [@laurentsimon](https://github.com/laurentsimon)
- Naveen Srinivasan, Independent, [@naveensrinivasan](https://github.com/naveensrinivasan)

The current list of OpenSSF Scorecard maintainers can be found [here](https://github.com/ossf/scorecard/blob/main/MAINTAINERS.md).

## Mission of the project

The project must be aligned with the OpenSSF mission and either be a novel approach for existing areas, address an unfulfilled need, or be code needed to deliver OpenSSF WG work. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project.

The mission of OpenSSF Scorecard is to automate analysis on the security posture of open source projects.

The current charter of the OpenSSF Scorecard project can be found [here](https://github.com/ossf/scorecard/blob/main/CHARTER.md).

## Project adoption

The project should be able to show adoption by multiple parties and the adoption's value to the open source community and/or end users (may include adoption of beta/early versions).

- OpenSSF Scorecard results are required as part of all current applications for OpenSSF [Incubating](https://github.com/ossf/tac/blob/c76e94ed192379ede5b3e5e143c372125bac6aa8/process/templates/PROJECT_NAME_incubation_stage.md) and [Graduated](https://github.com/ossf/tac/blob/c76e94ed192379ede5b3e5e143c372125bac6aa8/process/templates/PROJECT_NAME_graduation_stage.md) projects
- [CLOMonitor](https://github.com/cncf/clomonitor), a CNCF tool that periodically checks open source projects repositories to verify they meet certain project health best practices, leverages OpenSSF Scorecard for several of its checks.
- [Allstar](https://github.com/ossf/allstar) is a GitHub App that continuously monitors GitHub organizations or repositories for adherence to security best practices. Allstar has since been added an OpenSSF Scorecard project.
- [Prominent OpenSSF Scorecard Users](https://github.com/ossf/scorecard?tab=readme-ov-file#prominent-scorecard-users)
- [4.5k stars](https://github.com/ossf/scorecard/stargazers), [~500 forks](https://github.com/ossf/scorecard/forks)
- [GitHub dependency graph](https://github.com/ossf/scorecard/network/dependents)

## Governance

Project must have met publicly at least 5 times in the last quarter since becoming Sandbox

- Link to public meeting notes (or ideally recordings): https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing

Projects must have documented, initial project governance

- https://github.com/ossf/scorecard/blob/main/CHARTER.md

Project must have defined Contributor Guide

- https://github.com/ossf/scorecard/blob/main/CONTRIBUTING.md

Project has attained an OpenSSF Best Practice Badge at "passing" level

- https://www.bestpractices.dev/en/projects/5621

Project is integrated into the OpenSSF Scorecard

- https://scorecard.dev/viewer/?uri=github.com/ossf/scorecard

## IP policy and licensing due diligence

When contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF). This step is only needed for the initial donation and only applicable here, if the project intends to join the OpenSSF Incubation stage.

N/A, this project has been under OpenSSF governance for multiple years

## Project References

The project should provide a list of existing resources with links to the repository, website, a roadmap, contributing guide, demos and walkthroughs, and any other material to showcase the existing breadth, maturity, and direction of the project.

| Reference | URL |
|---|---|
| Repo | https://github.com/ossf/scorecard |
| Meeting Agenda | https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing |
| OSSF Calendar Entry | https://github.com/ossf/scorecard?tab=readme-ov-file#join-the-scorecard-project-meeting |
| Website | https://scorecard.dev/ |
| Contributing guide | https://github.com/ossf/scorecard/blob/main/CONTRIBUTING.md |
| Security.md | https://github.com/ossf/scorecard/blob/main/SECURITY.md |
| Roadmap | https://github.com/orgs/ossf/projects/24/views/4 |
| Demos | https://openssf.org/training/securing-projects-with-openssf-scorecard-course/ |
| Best Practices Badge | https://www.bestpractices.dev/en/projects/5621 |
| Scorecard integration | https://scorecard.dev/viewer/?uri=github.com/ossf/scorecard |
| Other | N/A |

0 comments on commit 1a5585c

Please sign in to comment.