## Decomposition **Documentation** - [ ] Contributing - add a file `contributing`: https://clomonitor.io/docs/topics/checks/#contributing - [ ] Maintainers - add a file `maintainers`: https://clomonitor.io/docs/topics/checks/#maintainers **License** - [ ] License scanning - add a link in `README.md`: https://clomonitor.io/docs/topics/checks/#license-scanning **Best Practices** - [ ] Artifact Hub badge - add a link to [artifacthub.io](https://artifacthub.io/) in `README.md` and probably update NSM state on [artifacthub.io](https://artifacthub.io/): https://clomonitor.io/docs/topics/checks/#artifact-hub-badge - [ ] OpenSSF best practices badge - add a link to OpenSSF best practice in `README.md`: https://clomonitor.io/docs/topics/checks/#openssf-best-practices-badge - [ ] OpenSSF Scorecard badge - add OpenSSF Scorecard badge and probably add OpenSSF GitHub Action: https://clomonitor.io/docs/topics/checks/#openssf-scorecard-badge **Security** - [ ] Dependencies policy - ? - [ ] Dependency update tool - use [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) or [renovatebot](https://docs.renovatebot.com/configuration-options/) to update dependencies in the repo: https://clomonitor.io/docs/topics/checks/#dependency-update-tool-from-openssf-scorecard - [ ] Maintained - actively maintain the repo: https://clomonitor.io/docs/topics/checks/#maintained-from-openssf-scorecard - [ ] Software bill of materials - ? - [ ] Security insights - add a file `SECURITY-INSIGHTS.yml`: https://clomonitor.io/docs/topics/checks/#security-insights (spec: https://github.com/ossf/security-insights-spec/blob/v1.0.0/specification.md) - [ ] Security policy - add a file "`security`: https://clomonitor.io/docs/topics/checks/#security-policy - [ ] Signed releases - cryptographically sign release artifacts: https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases - [ ] Token permissions - all GitHub workflow tokens should be read-only: https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
Decomposition
Documentation
contributing: https://clomonitor.io/docs/topics/checks/#contributingmaintainers: https://clomonitor.io/docs/topics/checks/#maintainersLicense
README.md: https://clomonitor.io/docs/topics/checks/#license-scanningBest Practices
README.mdand probably update NSM state on artifacthub.io: https://clomonitor.io/docs/topics/checks/#artifact-hub-badgeREADME.md: https://clomonitor.io/docs/topics/checks/#openssf-best-practices-badgeSecurity
SECURITY-INSIGHTS.yml: https://clomonitor.io/docs/topics/checks/#security-insights (spec: https://github.com/ossf/security-insights-spec/blob/v1.0.0/specification.md)security: https://clomonitor.io/docs/topics/checks/#security-policy