When working with OpenSource at enterprise companies; governance, compliance and security comes up, adding OpenSSF ScoreCard - https://openssf.org/. Could be a good way to address that, especially when it comes to auditing

example open source repo that does this well and they also have a good docs describing how the processes work:

https://docs.powertools.aws.dev/lambda/python/latest/security/