mirror of https://github.com/ossf/scorecard.git synced 2024-11-10 02:16:26 +03:00

Stephen Augustus 16ed8a68aa

Signed-off-by: Stephen Augustus <foo@auggie.dev>

2024-05-30 12:40:14 +00:00

Repository Guidelines

This document attempts to outline a structure for creating and associating GitHub repositories with the OpenSSF Scorecard project.

Approval

New repositories require approval from the OpenSSF Scorecard Steering Committee.

The following requirements apply to all OpenSSF Scorecard repositories:

Must be identified in the OpenSSF Scorecard project documentation
Must reside in the OpenSSF GitHub organization
Must utilize the topic openssf-scorecard (ref: managing topics)
Must adopt the OpenSSF Scorecard Code of Conduct
Must adopt an appropriate license, in compliance with the Intellectual Property Policy of OpenSSF Scorecard charter
Must include headers across all files that attribute copyright as follows:
```
Copyright [YYYY] OpenSSF Scorecard Authors
```
Must enforce usage of the Developer Certificate of Origin (DCO) via the DCO GitHub Application
All privileges to the repository must be defined via GitHub teams, instead of individuals
All code review permissions must be defined via CODEOWNERS
All contributors with privileges to the repository must also be active members of the OpenSSF Scorecard project

The OpenSSF Scorecard project may at times accept repository donations.

Donated repositories must:

The addition of required copyright headers to code created by the contributors can occur post-transfer, but should ideally occur shortly thereafter.

Note that copyright notices should only be modified or removed by the people or organizations named in the notice.

These guidelines were drafted with inspiration from the Kubernetes project's repository guidelines.