Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable OpenSSF Scorecard Action and Badge #452

Open
joycebrum opened this issue Oct 17, 2022 · 2 comments
Open

Enable OpenSSF Scorecard Action and Badge #452

joycebrum opened this issue Oct 17, 2022 · 2 comments

Comments

@joycebrum
Copy link

Hi I am Joyce from Google and I'm working on behalf of the Open Source Security Foundation (OpenSSF) to help open source projects to improve their supply-chain security. Considering how qs project is widely used in both open source and private projects, the OpenSSF has identified it as one of the 100 most critical open source projects.

Would you consider adopting an OpenSSF tool, developed in partnership with GitHub, called Scorecards? Scorecards runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture.

The project already follow some of the best practices checked by the scorecard (CI Tests, Contributors, Security Police), but there are important security practices that could be adopted to improve the overall security of the project, such as SAST, Fuzzing, Dependency-Update Tool, etc.

To simplify maintainers' lives, the OpenSSF has also developed the Scorecard GitHub Action, which runs the Scorecards checks through github action on every change on the repository's main branch. It is very lightweight and publishes the result of its checks on the project's security dashboard and include suggestions on how to solve any issues (see examples bellow).

The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already, having some prominent users like Tensorflow, Angular, Flutter, sos.dev and deps.dev.

Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.

In case of doubts or concerns you can try to check Scoreacrds FAQ. Anyway, feel free to reach me out.

Code scanning dashboard with multiple alerts, including Code-Review and Token-Permissions

Detail of a Token-Permissions alert, indicating the specific file and remediation steps

@ljharb
Copy link
Owner

ljharb commented Oct 17, 2022

Hi Joyce! I’d not be interested in that until my feedback has been incorporated into the scorecard program; in particular, the current scorecard penalizes single-maintainer projects in a way that does nothing to increase security.

In addition, using test fuzzing isn’t a best practice unless there’s a way to permanently preserve any failing test input to check for future regressions; and SAST seems like it should be satisfied by linting, which this project does.

I’d be happy to discuss further in the OpenSSF Slack if you have any questions; my feedback was originally given while i was a Board member and it still hasn’t been acted upon.

@joycebrum
Copy link
Author

Hi @ljharb, thanks for the feedback, I'll keep an eye on scorecards updates for single maintainers to then bring up the discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants