You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'd like to explore the recommendations being made by the OpenSSF scorecard report. I ran it this morning manually and saw this:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10 | Binary-Artifacts | binaries present in source | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#binary-artifacts |
| | | code | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Branch-Protection | internal error: error during | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#branch-protection |
| | | branchesHandler.setup: | |
| | | internal error: | |
| | | githubv4.Query: Resource not | |
| | | accessible by personal access | |
| | | token | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests | 13 out of 13 merged PRs | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#ci-tests |
| | | checked by a CI test -- score | |
| | | normalized to 10 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 5 / 10 | CII-Best-Practices | badge detected: passing | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#cii-best-practices |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 2 / 10 | Code-Review | found 6 unreviewed changesets | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#code-review |
| | | out of 8 -- score normalized | |
| | | to 2 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | 93 different organizations | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#contributors |
| | | found -- score normalized to | |
| | | 10 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#fuzzing |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License | license file detected | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#license |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained | 30 commit(s) out of 30 and 28 | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#maintained |
| | | issue activity out of 30 found | |
| | | in the last 90 days -- score | |
| | | normalized to 10 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Packaging | publishing workflow detected | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#packaging |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 6 / 10 | Pinned-Dependencies | dependency not pinned by hash | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | |
| | | to 6 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | SAST tool is not run on all | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#sast |
| | | commits -- score normalized to | |
| | | 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy | security policy file detected | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#security-policy |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | detected GitHub workflow | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#token-permissions |
| | | tokens with excessive | |
| | | permissions | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | no vulnerabilities detected | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#vulnerabilities |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
Some things to explore:
set up codeql checks (SAST check)
pinned dependencies - not sure which one isn't pinned, looks like maybe just rubyzip?
token permissions - set github actions token permissions to "read" at top level, then increase for specific jobs (I think?)
this should probably be done manually so I can run every pipeline against the commit - see [StepSecurity] ci: Harden GitHub Actions #2957 which I can't run the generate-ci-images.yml against
I'd like to explore the recommendations being made by the OpenSSF scorecard report. I ran it this morning manually and saw this:
Some things to explore:
Other recommendations from https://app.stepsecurity.io/securerepo?repo=https://github.com/sparklemotion/nokogiri
The text was updated successfully, but these errors were encountered: