Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adoption of Scorecard GitHub Action #831

Open
diogoteles08 opened this issue Jun 21, 2023 · 2 comments
Open

Adoption of Scorecard GitHub Action #831

diogoteles08 opened this issue Jun 21, 2023 · 2 comments

Comments

@diogoteles08
Copy link
Contributor

diogoteles08 commented Jun 21, 2023
edited

Hey, I'm Diogo and I've raised the issues #357 and #809 contributing with some security enhancements. I'll happily continue contributing with such improvements (it's literally my job, see my profile), but this time I come to suggest the tool that I used myself to find those security issues.

I'd like to suggest that the project add the OpenSSF Scorecard Action. The OpenSSF Scorecard uses GitHub's public API to gather public informations about your project and runs a sort of "meta-analysis" of the project's security posture. The Action then populates the project's Security Panel with possible improvements to its security posture. It's specially helpful to ensure you won't regress on the security measures you have already adopted. Additionally, the tool integrates with the OSV Scanner, which evaluates a project's transitive dependencies looking for known vulnerabilities.

When working on the Security enhancements pointed by Scorecard, you're also able to apply for the OpenSSF's Secure Open Source Rewards program, which financially rewards developers for improving the security of important open source projects

This tool is developed by the OpenSSF in partnership with GitHub and it's already been adopted by 1800+ projects, including TensorflowPyTorchAngular, and Flutter.

You can have a preview of the analysis here. Note that the 0/10 score on Token-Permissions should have been fixed by my issue #764. Currently it's only 0/10 because the release.yml was changed to have a contents: write permission at top-level (and I saw that this change as motivated by a typo on my original PR, sorry about that ><), but that can be seen as a False-Positive, as Scorecard have already documented it on this issue.

If you're interested, let me know and I'll send a PR!
@diogoteles08
Copy link
Contributor Author

Hey! This issue/PR has been idle for quite some time. Do you plan on considering this suggestion? If not, I'll probably wait up to 2 more months and close the issue.

Thanks!

@klauspost
Copy link
Owner

Keeping it around as a TODO item. I close the ones I don't plan to do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@klauspost @diogoteles08 and others