Skip to content

TrustScope: suggested Security & Supply Chain improvements for QLMarkdown #226

Description

@GmanFooFoo

Hi! This is a friendly, optional set of suggestions for sbarex/QLMarkdown, generated by TrustScope from the OpenSSF Scorecard (v5.5.0).

None of these are required — they are common hardening steps that tend to raise a project's supply-chain and governance signals. Take whatever is useful and ignore the rest.

Security & Supply Chain

  • Branch Protection — Add a branch-protection rule: require a pull request, a required status check, and dismiss-stale reviews. (Private repositories need a paid GitHub plan for branch protection.)
  • Code Review — Require review before merge. Solo projects can satisfy this with an automated reviewer (e.g. CodeRabbit) instead of blocking human approval.
  • Dependency Update Tool — Add .github/dependabot.yml — the github-actions ecosystem always, plus npm/etc. wherever a manifest exists.
  • SAST — Add a CodeQL workflow for the repository's real languages (build-mode none). Use languages: (plural) on codeql-action/initlanguage: is silently ignored — and job-scope security-events: write. Private repositories need GitHub Advanced Security.

Assessed via TrustScope (https://trustscope.neckarshore.ai) — an open-source trust report by Neckarshore AI. These are suggestions, not demands.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions