LFX Security Insights + Scorecards

[azeemshaikh38]

Meeting notes on LFX Security Insights from Scorecard bi-weekly of Feb 10th 2022:

• LFX Insights collects and showcases different OSS repository/project metrics. It has some security related metrics it collects today and is interested in adding OpenSSF's Scorecard + Criticality Score to this list.
• LFX Insights is moving to a new datalake-based architecture which should allow for higher scalability and newer features. Some of them being:
  (i) Expanded coverage of the larger OSS ecosystem. Today, only projects owned by LF are listed in LFX.
  (ii) An API for consumers of this data.
  (iii) Connector-based data flow where each system/tool can push data to the datalake and have it exposed through the API or
  web dashboard. This allows for the flexibility such that some OSS projects have certain metrics populated but not others.
• Expected general availability is around mid-year.

The proposed plan here is to turndown metrics.openssf.org and leverage the work of LFX Security Insights for exposing/showcasing the OpenSSF security metrics.

@laurentsimon @naveensrinivasan @oliverchang @inferno-chromium @scovetta fyi.

@david-a-wheeler could you add Shubra to this discussion?

[scovetta]

The proposed plan here is to turndown metrics.openssf.org and leverage the work of LFX Security Insights for exposing/showcasing the OpenSSF security metrics.

Sounds good to me, strongly support!