Docs addition: getting started guide

[olivekl]

Scorecard is becoming a central starting point for developers new to supply chain security who want to learn how to improve their projects, but the docs don’t have a resource for people who land here and don’t know where to start to understand the basic concepts about why Scorecard exists.

I’d propose a “New to Supply Chain Security? Start Here!” type of guide that could have its own page, pointing maintainers to the checks they may way to prioritize first:

• Brief intro to supply chain risks generally as applied to open source developers
• Three sections talking about the general development workflow for open source and how to protect against common risks
  • Setting up your project / contributing to your own source code
  • Accepting PRs / contributions / adding dependencies
  • Releasing

These sections would be written in a casual, conversational tone and would explain why we suggest starting with the following checks:

• Branch protection
• Code Review
• CI Tests
• Token Permissions
• Vulnerabilities
• Dependency Update Tools
• Packaging

@ariathaker has offered to take on writing this page with me; @pnacht has already provided SME guidance. If there's support for adding this page, we'll get right to work!

[spencerschrock]

Sounds good to me

[github-actions]

This issue is stale because it has been open for 60 days with no activity.

[justaugustus]

Guide is being worked on in #3617.

[github-actions]

This issue is stale because it has been open for 60 days with no activity.

[spencerschrock]

Fixed by #3617