Potential Security Enhancements for lua-cjson

[CeyuWu]

Hi lua-cjson Maintainers,

I'm reaching out because I appreciate your work on lua-cjson. As open-source security is a growing concern, I'd like to suggest some improvements based on the OpenSSF Scorecard best practices:

​Token Permissions​: Consider implementing explicit token permissions within the workflow to avoid over-permissioning vulnerabilities.
​Branch Protection & Code Review​: Enabling branch protection rules and code reviews can minimize the risk of introducing vulnerabilities. Refer to your repository settings for configuration options.
​Static Application Security Testing (SAST)​: Implementing SAST tools can help detect vulnerabilities early in the development lifecycle.
​Dependency Update Tool​: Utilizing a dependency update tool ensures your project uses the latest secure library versions.
​Security Policy​: Defining a comprehensive security policy (SECURITY.md) with vulnerability reporting guidelines, coding standards, and response procedures is recommended.
For more information on specific checks, see the OpenSSF Scorecard documentation: Link to Documentation

[zhuizhuhaomeng]

Would you please create a PR for your advisement?

[Fo3N0Th1ng]

@zhuizhuhaomeng Hi, I'm currently looking into this issue. In fact, most of the requirements from Scorecard can only be fulfilled by someone with maintainer permissions — for example, it may ask you to re-run the test.yml workflow.

That said, there are also a few things that only require simple UI actions. For instance:

• You can enable branch protection on the master branch.
• You can create a SECURITY.md file in the root of the repository to let others know how to report vulnerabilities to the maintainers.

If you're interested in doing this, I'd be more than happy to help however I can.