We've invested time into understanding this space. It seems that for NuGet to thrive with scorecards, we will be heavily dependent on #4177 for many Microsoft packages as they haven't quite moved to GH actions yet. This work however, will work just fine for other prominent packages that are already on GH actions and follow best practices outlined.
Additionally, it seems that no other package manager has implemented the basic pinned dependencies check for ensuring "pinned versions" are included.
Based on the recent SonaType survey, the following are emphasized across various ecosystems:
Therefore, this issue should track the following support (or lack thereof) of the most impactful/implemented today:
While some of these are repository & CI/CD specific, in the context of a package i.e. scorecard --nuget=System.Text.Json --show-details we have a lot of work to do.
OLD:
The scorecard project currently only supports npm, golang, and pip as far as I could tell. I'm a PM on the NuGet team at Microsoft and would love to help contribute adding support for NuGet in this tool or providing the right guidance to implement support for NuGet. This closely aligns with a proposal I had last year and would love to experiment with this scorecard in .NET:
dotnet/designs#216
Please feel free to reach out to us over at NuGet/Home on GitHub or in this issue. Any steps on how to best contribute adding this support would be greatly appreciated!
We've invested time into understanding this space. It seems that for NuGet to thrive with scorecards, we will be heavily dependent on #4177 for many Microsoft packages as they haven't quite moved to GH actions yet. This work however, will work just fine for other prominent packages that are already on GH actions and follow best practices outlined.
Additionally, it seems that no other package manager has implemented the basic pinned dependencies check for ensuring "pinned versions" are included.
Based on the recent SonaType survey, the following are emphasized across various ecosystems:
Therefore, this issue should track the following support (or lack thereof) of the most impactful/implemented today:
While some of these are repository & CI/CD specific, in the context of a package i.e.
scorecard --nuget=System.Text.Json --show-detailswe have a lot of work to do.OLD:
The scorecard project currently only supports npm, golang, and pip as far as I could tell. I'm a PM on the NuGet team at Microsoft and would love to help contribute adding support for NuGet in this tool or providing the right guidance to implement support for NuGet. This closely aligns with a proposal I had last year and would love to experiment with this scorecard in .NET:dotnet/designs#216Please feel free to reach out to us over at NuGet/Home on GitHub or in this issue. Any steps on how to best contribute adding this support would be greatly appreciated!