Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve security measures (with the help of OpenSSF Scorecard) #384

Open
6 tasks
gustavkj opened this issue Nov 15, 2023 · 4 comments
Open
6 tasks

Improve security measures (with the help of OpenSSF Scorecard) #384

gustavkj opened this issue Nov 15, 2023 · 4 comments

Comments

@gustavkj
Copy link
Collaborator

Lately, I've been looking a bit at OpenSSF Scorecard, it is an security assessment for open source projects.

You can see the current score here: https://securityscorecards.dev/viewer/?uri=github.com/gagoar/codeowners-generator

I think there are some fairly easy improvements that can be done, and there are tools to help. Below are the main improvements, that we can split off into separate issues (if this sounds good):

  • Adjust Github Workflow token permissions (principle of least privilege)
  • Add a security policy (SECURITY.md) and turn on private vulnerability reporting
  • Pin Workflow versions and make Renovate update them
  • Add tool for static code analysis, CodeQL
  • Optional: Add OpenSSF Scorecard workflow, so the score is updated more often
  • Optional: Add OpenSSF Scorecard badge to the readme
@gustavkj
Copy link
Collaborator Author

Any thoughts, @gagoar ?

@gagoar
Copy link
Owner

gagoar commented Nov 15, 2023
edited
Loading

I've done this at work. Most of it is okay. Some notes tho:

  • Oss has a limited machine time per PR. CodeQL is a bit heavy. There are no objections here. Keep in mind Renovate craziness might get us some queues going that slow us down.
  • Pinning versions is something I usually do. It could be a quick review to see what's not pinned.
  • The least Permissions on workflows is a tricky one. The ones we use to publish are the ones I find the most tricky to test. Everything else can scope to read-only, right?

I will be sure to take the workflow versions to be pinned as soon as you are done with the latest updates.

@gustavkj
Copy link
Collaborator Author

Sound good! 👍

I will take the workflows versions to be pinned as soon as you are done with the latest updates.

I think adding this Renovate preset will take care of that, probably in one PR.

You can also use this tool that OpenSSF links to: https://app.stepsecurity.io/securerepo

@gagoar
Copy link
Owner

gagoar commented Nov 15, 2023

Sound good! 👍

I will take the workflows versions to be pinned as soon as you are done with the latest updates.

I think adding this Renovate preset will take care of that, probably in one PR.

You can also use this tool that OpenSSF links to: https://app.stepsecurity.io/securerepo

done ! #385

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gagoar @gustavkj