TSC: Integrate Scorecard Workflow

[balhar-jakub]

The TSC agreed that all of the squads needs to integrate the TSC Scorecard into the Workflows.

The details about the topic from Mark Ackert:

Per the recommendation in the linked PR, I created a modified scorecard workflow we can use to narrow the scan results to our preferred checks. The workflow is in the zowe-install-packaging repo here. A list of available checks are here, but the ID you need to supply to the workflow's SCORECARD_ENABLED_CHECKS differs slightly. I couldn't find a list of IDs, but you can look at the unfiltered results.sar if uploaded after each scorecard run to map a given check to it's ruleId.

There is also a question of efficient deployments of scorecards for large organizations which is in discussion ossf/scorecard#4339. If the scorecard community comes up with a more elegant solution than duplicating a scorecard workflow across many repositories, we can look into adopting it.

[github-actions]

Thank you for raising this enhancement request.
The community has 90 days to vote on it.
If the enhancement receives at least 10 upvotes, it is added to our development backlog.
If it receives fewer votes, the issue is closed.

[zFernand0]

For those curious about our baseline...

• https://api.scorecard.dev/projects/github.com/zowe/vscode-extension-for-zowe

  "date": "2025-07-07",
  "repo": {
    "name": "github.com/zowe/vscode-extension-for-zowe",
    "commit": "57e21dd2c11abb97d7c4932faac8ab3258e89372"
  },
  "scorecard": {
    "version": "v5.2.1-18-gbb9c347d",
    "commit": "bb9c347dff6349d986baab6578a46d68a5524c62"
  },
  "score": 6.6,