Workflow Hardening

[sgammon]

Hello OSSF scorecard authors!

I am a fan of the StepSecurity Harden Action step, which can harden a GHA CI workflow against attacks by removing sudo rights and blocking unknown network traffic.

I've implemented this strictness on many of my repos, but sometimes I leave the tool in audit mode and forget to switch to enforcement.

Would it be possible for OSSF Scorecard to take this into account? I imagine it would scan each workflow for hardening, and detect either audit or block mode; as a user, I would expect it to grant points if the action is there at all (because this allows some measure of retroactive diagnosis), and a lot of points if the workflow is fully blocked from unknown traffic and sudo access.

I'm asking both because, as a project author, I'm disappointed that I don't get credit for this in my scorecard, and also as a user, because I would like to know which libraries I use have performed this important step.