Improve Node.js Scorecard

[RafaelGSS]

Reference: https://github.com/nodejs/security-wg/blob/main/tools/ossf_scorecard/report.md

We need to:

• Enable code-scanning in the Node.js repository by setting a scorecard.yml (tools: add scorecard ci node#47254)

• Fix the warnings (feel free to update this list)

  • Pin actions by commit-hash (tools: use actions pinned by commit hash on all workflows node#46820)

• Pin npm dependencies in our actions (Improve Node.js Scorecard #929 (comment))

  ...

Note: we can use the StepSecurity for an automated PR.

[RafaelGSS]

Actually, there's already a PR for pinned actions nodejs/node#46820

[mateonunez]

Hey @RafaelGSS, I would love to deep into this. Just a couple of questions:

• The workflow should be set only in the main branch at push or we want to include also other stable branches ?
• There's a specific scheduled time to run the workflow?

[RafaelGSS]

The workflow should be set only in the main branch at push or we want to include also other stable branches ?

main branch

There's a specific scheduled time to run the workflow?

You can use the same as the one we use for this repo.

[mateonunez]

I created this PR to increase the scorecard score by adding the missing dependencies: nodejs/node#47346

I'm sure that by merging this we can get very close to score 10 on the topic "Pinned-Dependencies".

[RafaelGSS]

UPDATE from #945

Node.js score: 7.6 - 2023-04-08

[RafaelGSS]

UPDATE from #961

Repository	Commit	Score	Date	Difference	Report Link	StepSecurity Link
nodejs/node	2ac5e98	7.3	2023-04-26T08:57:49Z	-0.3	Full Report	Fix it

[UlisesGascon]

UPDATE from #981

Repository	Commit	Score	Date	Difference	Report Link	StepSecurity Link
nodejs/node	12a93ce	7.3	2023-05-10T08:02:33Z	0	Full Report	Fix it