[Feature Request] Enable OpenSSF Scorecard for continuous supply-chain security monitoring #5597
Description
Feature Request
Firecracker is a security-critical, widely adopted infrastructure component used in production cloud environments. Downstream users, distributors, and security teams increasingly rely on OpenSSF Scorecard signals to evaluate supply-chain risk and security maturity of open source dependencies.
While Firecracker already demonstrates strong security practices, the absence of an enabled and published OpenSSF Scorecard workflow means these signals are not continuously measured or easily consumable. Enabling Scorecard would improve transparency, prevent regressions, and strengthen trust in Firecracker’s security posture across the ecosystem.
Describe the desired solution
Integrate the OpenSSF Scorecard GitHub Action into the Firecracker repository with scheduled (e.g., weekly) and/or push-based execution. Publish the results so they are visible to users, optionally including a Scorecard badge in the repository README.
This would enable continuous, automated assessment of Firecracker’s supply-chain security posture without impacting runtime behavior or development workflows.
Describe possible alternatives
- Continue relying on ad-hoc, manual Scorecard executions when security reviews are required.
- Rely on downstream consumers to run Scorecard independently against the repository.
Current workaround:
Security posture is evaluated manually using the Scorecard CLI or container image, which does not provide continuous visibility and makes regression detection difficult.
Additional context
A recent manual OpenSSF Scorecard run against this repository reports an aggregate score of 7.3 / 10, reflecting a strong baseline with a small number of improvable areas (e.g., pinned dependencies, signed releases, fuzzing, and OpenSSF Best Practices badge).
Command used to generate the current report:
docker run -e GITHUB_AUTH_TOKEN=${GITHUB_AUTH_TOKEN} \
gcr.io/openssf/scorecard:stable \
--show-details \
--repo=https://github.com/firecracker-microvm/firecrackerChecks
[x]Have you searched the Firecracker Issues database for similar requests?
[x]Have you read all the existing relevant Firecracker documentation?
[x]Have you read and understood Firecracker's core tenets?