Description
Hello python-docx Maintainers,
I sincerely appreciate your hard work on this project.
In today's digital landscape, the security of open - source software (OSS) has become a pressing concern. The Open Source Security Foundation (OpenSSF), a sub - foundation of the Linux Foundation, has been dedicated to enhancing OSS security for many years.
One of the valuable tools developed by OpenSSF is Scorecard. It provides a set of security checkpoints for OSS projects. After analyzing our project with Scorecard, it has identified several areas where we can improve security:
1. Branch Protection
Enabling branch protection rules and mandatory code reviews can significantly reduce the risk of introducing vulnerabilities. The important branches should be protected because it should not be deleted or forced pushed by mistaken.
You can check it in the Settings - Branches page, You can click the Add branch ruleset or Add classic branch protection rule to protect one or more branches.
2. Static Application Security Testing (SAST)
Implementing SAST tools is crucial as it allows us to detect vulnerabilities at an early stage of the development cycle.
You can check it in the Settings - Code Security page. You can enable the Code scanning options.
3. Dependency Update Tool
Using a dependency update tool ensures that our project always utilizes the latest and most secure library versions. You can enable dependabot in the repository settings.
You can check it in the Settings - Code Security page. You can enable the Dependabot options.
4. Security Policy
It is highly recommended to define a comprehensive security policy (SECURITY.md) in the root directory. This policy should include guidelines for vulnerability reporting and vulnerability publishment.
You can do it in the Security page which will give you a template file, just put some key informations(such as Email address or Vulnerabilities submission link) in the SECURITY.md and commit it.
5. Packaging
Build and release official packages using the CI/CD pipeline.
6. Code Review
Perform manual review before code merging.
For detailed information on these checks, you can refer to the OpenSSF Scorecard documentation
I believe that addressing these security improvements will strengthen our project's security posture. What are your thoughts on implementing these changes?