From 989e50a20ec842cdca8c62cd1a108770db1ff034 Mon Sep 17 00:00:00 2001 From: Dana Wang Date: Wed, 17 Jul 2024 10:32:26 -0500 Subject: [PATCH] Update security_baseline.md Updated "SHOULD" to "MUST" for Scorecard onboarding for to becoming incubating Signed-off-by: Dana Wang --- process/security_baseline.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/security_baseline.md b/process/security_baseline.md index 690fb9f1..06577723 100644 --- a/process/security_baseline.md +++ b/process/security_baseline.md @@ -89,7 +89,7 @@ When the project starts, it's critical to have a security foundation to reduce a ### Baseline - To Become Incubating -As the project codebase grows and more features are added, increasing complexity, it becomes crucial to leverage security tools to identify vulnerabilities in the codebase or dependent software early on. Addressing critical issues early prevents costly fixes in the future. At this stage, projects SHOULD onboard to OpenSSF Scorecard by following the [installation instructions](https://github.com/ossf/scorecard-action#installation) of [Scorecard GitHub Action](https://github.com/ossf/scorecard-action). The Action runs on any repository change and raises alerts. ​​Repository administrators, organization owners, and people with write or maintain access to a repository can view the alerts in the repository’s Security tab. Ensure Scorecard is enabled for the project by following [Scorecard Verify Runs](https://github.com/ossf/scorecard-action?tab=readme-ov-file#verify-runs) instruction. +As the project codebase grows and more features are added, increasing complexity, it becomes crucial to leverage security tools to identify vulnerabilities in the codebase or dependent software early on. Addressing critical issues early prevents costly fixes in the future. At this stage, projects MUST onboard to OpenSSF Scorecard by following the [installation instructions](https://github.com/ossf/scorecard-action#installation) of [Scorecard GitHub Action](https://github.com/ossf/scorecard-action). The Action runs on any repository change and raises alerts. ​​Repository administrators, organization owners, and people with write or maintain access to a repository can view the alerts in the repository’s Security tab. Ensure Scorecard is enabled for the project by following [Scorecard Verify Runs](https://github.com/ossf/scorecard-action?tab=readme-ov-file#verify-runs) instruction. | Security Baseline | Objective | How to Implement | How to Verify| |-------|-------|-------|-------|