Description
Hi socket.io-client-java Maintainers,
I'm reaching out because I appreciate your work on socket.io-client-java. As open-source security is a growing concern, I'd like to suggest some improvements based on the OpenSSF Scorecard best practices:
-
Token Permissions: Consider implementing explicit token permissions within the workflow to avoid over-permissioning vulnerabilities.
-
Static Application Security Testing (SAST): Implementing SAST tools such as CodeQL can help detect vulnerabilities early in the development lifecycle.
-
Dependency Update Tool: Utilizing a dependency update tool, such as Dependabot or RenovateBot, to ensures your project uses the latest secure library versions.
-
Security Policy: Defining a comprehensive security policy (SECURITY.md) with vulnerability reporting guidelines, coding standards, and response procedures is recommended.
For more information on specific checks, see the OpenSSF Scorecard documentation: Link to documentation