Proposal for Baseline GH Rulesets Alignment w/ Minder

[eddie-knight]

Dropping some notes here following a discussion with @mrbobbytables.

• GitHub Rulesets are entering maturity, and may soon be recommended from a CNCF perspective as a way to streamline security across projects
• Some discussion (I forget where) has proposed the integration of rulesets in the Minder context
• Can we collaborate in the Minder context to maintain an OSPS Baseline ruleset that can be optionally ingested directly or by Minder?
• Need to ensure that the CNCF TOC is 100% on board with the OSPS Baseline criteria, so that the ruleset is immediately useful

cc / @puerco

[TheFoxAtWork]

If the OSPS baseline are incorporated into the passing level of best practices badging, they will become criteria for projects moving levels.

if they're not capable of being incorporated into best practices badging, the TOC will need to decide at what level these would be required, in whole or in part, and then update the criteria for new projects applying moving forward.

[puerco]

Absolutely, Minder can help projects in two ways:

• Minder is able to remediate projects missing the recommended rulesets, ensuring they are always present.
• Minder can also create minder rule types that protect in the same way without relying on GitHub rules at all.

Once we finalize the criteria, we can create the minder rule types (for either scenario, or both) and we can host them in the baseline repo with instructions on how to use them.