BREAKING NEWS: The scorecard Monitor is part of the OSSF 🥳

[UlisesGascon]

TL;DR:

I am very glad to announce that this repository is now part of the OSSF Organization, so the Scorecard Visualizer is now an official tool in the OSSF Scorecard ecosystem. 🎊 🎊

Important Details

As part of the migration process, the repository has been transferred to the OSSF (from UlisesGascon/openssf-scorecard-monitor to ossf/scorecard-monitor). The redirection should be working, so no additional steps are required from your part. Starting from version v2.0.0-beta8, we will use the new URLs (soon to be released).

Let's celebrate this moment together 🤗

This journey started a long time ago, even before the first commit on Feb 2023 when we started to adopt the OSSF Scorecard in the Node.js Organization (nodejs/security-wg#851) in Dec'22, thanks to the GOSST Team (@gabibguti, @joycebrum, @pnacht, @diogoteles08 and others) that helped us understand in detail what this project is about and how it can help our organization be more secure (full video).

As soon as I understood how important this was for the Open Source Community, I tried to spread this idea into the ecosystem, so I started to blog about it and discuss it with the community on social media.

The real challenge came when we needed to adopt it at the scale of Node.js, in the Node.js' security WG (nodejs/security-wg#851 (comment)). We realized that we needed a tool to help us monitor the scoring over time. In the following weeks, we started to iterate over this idea until we had the most basic features of the Monitor, especially thanks to Security WG (@mhdawson, @RafaelGSS, @marco-ippolito, @fraxken and others) for all the patience, feedback, ideas, and contributions to consolidate this tool and make it extensible to the community.

Once we had a clear idea on how to track the scores in our repositories, we realized that it was very hard for us to spot the evolution in terms of scoring differences. So, @KoolTheba joined the efforts by creating the Scorecard Visualizer that allowed us to showcase the scorecard details per project using commit hashes and to compare between two different commits. This was a game-changer for us as it allowed us to quickly spot the differences and act on them on a bi-weekly basis, especially when the diff details were added.

Our next big problem was how to reduce the Time To Remediation (TTR). One day, the Step Security team did an eye-opening demo for the Node.js Security WG (#37). Thanks, @varunsh-coder and @boahc077, for showing us the right way. Since then, there is a fix it link in the report to quickly apply many scorecard recommendations in any GitHub project.

I want to especially thank all the collaborators (@KoolTheba, @justaugustus, @lelia, @rajbos and others...) who helped us on this amazing journey, as well as all the users (@inigomarquinez, carpasse and others) and orgs that were early adopters and provided invaluable feedback and perspectives to the project!

Finally, thanks to the OpenJS Security Collab (@ruddermann, @ctcpip, @ljharb, @mrutkows, @shusak, @joesepi, @rginn, @bensternthal and others) for the endless discussions and invaluable knowledge shared in every session. Also, to the OSSF team for building these amazing tools and sharing them with me in advance (@laurentsimon, @naveensrinivasan and others...), and to the OSSF for helping us in all the donation journey and making all the changes required for us to join (@justaugustus, @afmarcum, @bbpursell1 and others).

---

📢 You can follow this discussion on Twitter, Linkedin and Mastodoon

[inigomarquinez]

Congratulations @UlisesGascon !

Happy to see that these tools that I've been using for a while keep improving and gradually becoming official in the Open Source world. 🚀

[lelia]

Great news, @UlisesGascon! 🎉

I wanted to clarify one thing about the status of v2.0.0-beta8 as I noticed this tag is now referenced in the README.md and package.json but I don't see a corresponding release for beta8 yet.

Is the tagging of this release intentionally delayed as part of the transition to ossf? Thanks!

[bbpursell1]

There was a hold-up on legal review of the Marketplace Developer policy. This is now approved, and @UlisesGascon should be able to publish it when he is ready.

[justaugustus]

There are a few things I want to review copy-wise before we republish. @UlisesGascon, let's have a quick sync in the next week before a new rev.