📖 governance: Add Incubation application submission

governance/openssf_scorecard_incubation_stage.md

@@ -0,0 +1,89 @@
+# OpenSSF Scorecard — Incubation application
+
+## Project has met all Sandbox requirements
+
+The only Sandbox application requirement that is not listed as part of the Incubation application superset is the matter of project sponsorship.
+
+### Sponsor
+
+Most projects will report to an existing OpenSSF Working Group, although in some cases a project may report directly to the TAC. The project commits to providing quarterly updates on progress to the group they report to.
+
+OpenSSF Scorecard is a project of the Best Practices Working Group.
+
+## List of project maintainers
+
+The project must have a minimum of three maintainers with a minimum of two different organizational affiliations.
+
+- Stephen Augustus, Cisco, [@justaugustus](https://github.com/justaugustus)
+- Raghav Kaul, Google, [@raghavkaul](https://github.com/raghavkaul)
+- Jeff Mendoza, Kusari, [@jeffmendoza](https://github.com/jeffmendoza)
+- Spencer Schrock, Google, [@spencerschrock](https://github.com/spencerschrock)
+- Laurent Simon, Independent, [@laurentsimon](https://github.com/laurentsimon)
+- Naveen Srinivasan, Independent, [@naveensrinivasan](https://github.com/naveensrinivasan)
+
+The current list of OpenSSF Scorecard maintainers can be found [here](https://github.com/ossf/scorecard/blob/main/MAINTAINERS.md).
+
+## Mission of the project
+
+The project must be aligned with the OpenSSF mission and either be a novel approach for existing areas, address an unfulfilled need, or be code needed to deliver OpenSSF WG work. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project.
+
+The mission of OpenSSF Scorecard is to automate analysis on the security posture of open source projects.
+
+The current charter of the OpenSSF Scorecard project can be found [here](https://github.com/ossf/scorecard/blob/main/CHARTER.md).
+
+## Project adoption
+
+The project should be able to show adoption by multiple parties and the adoption's value to the open source community and/or end users (may include adoption of beta/early versions).
+
+- OpenSSF Scorecard results are required as part of all current applications for OpenSSF [Incubating](https://github.com/ossf/tac/blob/c76e94ed192379ede5b3e5e143c372125bac6aa8/process/templates/PROJECT_NAME_incubation_stage.md) and [Graduated](https://github.com/ossf/tac/blob/c76e94ed192379ede5b3e5e143c372125bac6aa8/process/templates/PROJECT_NAME_graduation_stage.md) projects
+- [CLOMonitor](https://github.com/cncf/clomonitor), a CNCF tool that periodically checks open source projects repositories to verify they meet certain project health best practices, leverages OpenSSF Scorecard for several of its checks.
+- [Allstar](https://github.com/ossf/allstar) is a GitHub App that continuously monitors GitHub organizations or repositories for adherence to security best practices. Allstar has since been added an OpenSSF Scorecard project.
+- [Prominent OpenSSF Scorecard Users](https://github.com/ossf/scorecard?tab=readme-ov-file#prominent-scorecard-users)
+- [4.5k stars](https://github.com/ossf/scorecard/stargazers), [~500 forks](https://github.com/ossf/scorecard/forks)
+- [GitHub dependency graph](https://github.com/ossf/scorecard/network/dependents)
+
+## Governance
+
+Project must have met publicly at least 5 times in the last quarter since becoming Sandbox
+
+- Link to public meeting notes (or ideally recordings): https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing
+
+Projects must have documented, initial project governance
+
+- https://github.com/ossf/scorecard/blob/main/CHARTER.md
+
+Project must have defined Contributor Guide
+
+- https://github.com/ossf/scorecard/blob/main/CONTRIBUTING.md
+
+Project has attained an OpenSSF Best Practice Badge at "passing" level
+
+- https://www.bestpractices.dev/en/projects/5621
+
+Project is integrated into the OpenSSF Scorecard
+
+- https://scorecard.dev/viewer/?uri=github.com/ossf/scorecard
+
+## IP policy and licensing due diligence
+
+When contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF). This step is only needed for the initial donation and only applicable here, if the project intends to join the OpenSSF Incubation stage.
+
+N/A, this project has been under OpenSSF governance for multiple years
+
+## Project References
+
+The project should provide a list of existing resources with links to the repository, website, a roadmap, contributing guide, demos and walkthroughs, and any other material to showcase the existing breadth, maturity, and direction of the project.
+
+| Reference | URL |
+|---|---|
+| Repo | https://github.com/ossf/scorecard |
+| Meeting Agenda | https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing |
+| OSSF Calendar Entry | https://github.com/ossf/scorecard?tab=readme-ov-file#join-the-scorecard-project-meeting |
+| Website | https://scorecard.dev/ |
+| Contributing guide | https://github.com/ossf/scorecard/blob/main/CONTRIBUTING.md |
+| Security.md | https://github.com/ossf/scorecard/blob/main/SECURITY.md |
+| Roadmap | https://github.com/orgs/ossf/projects/24/views/4 |
+| Demos | https://openssf.org/training/securing-projects-with-openssf-scorecard-course/ |
+| Best Practices Badge | https://www.bestpractices.dev/en/projects/5621 |
+| Scorecard integration | https://scorecard.dev/viewer/?uri=github.com/ossf/scorecard |
+| Other | N/A |