I am currently trying to get InvenTree, the open source inventory and PLM system, compliant with the OpenSSF scorecard system by the Open Source Security Foundation. This is a log of my progress and thoughts so far.

At the time of writing we are at 7.4 of 10 (3e52e5f) but check the live score.

Docs und UX

The docs are great, the website looks nice. I wished for some more technical details in the docs, but I guess that would be a double edged sword.
Something I need a bunch of time to get right is pinned dependencies. For python packages it is not enough to pin within the install command to a version, you seem to be required to use a requirements file.
Pinning multistage docker builds is still a mystery to me.

Scope

I think the scope of the rating is good. A lot of things can be fulfilled with a few clicks (dependabot, workflow permissions), a few things are more involved and need some time (pinned dependencies, security policies, reviewer policies, SAST).

Dependabot

I had a not so good experience with the recommended dependabot setup. It created a lot of PRs, but the PRs were not very helpful as they often required a manual fix. After we configured grouping the noice got significantly reduced - that should be the default IMO.
It still seems to ignore my specific requests to ignore certain packages.

Conclusion

I am happy with the progress we made so far. I think the OpenSSF scorecard are a good guideline to improve the security of a project. A simple number is always a good motivator for me to get things done and easier to understand for businesses evaluating the project. I am looking forward to the next steps and hope to get a good rating (8.5 ish) soon.