-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OSSF Scorecard #851
Comments
Hi @gabibguti we're evaluating it in the Security-WG . See the next initiatives: #846. Also, feel free to join our call to share your point of view. |
Something to note on this: currently we include several compiled wasm modules. This is against the concept of "binary artifacts". This being said, compiling to WASM is hard and they require quite a few more dependencies. I'm not 100% sure what we should do about this in practice. |
I think as a first step we can automate the generation of the wasm modules and better manage the dependencies that we use as part of the build for the wasm. I know that won't solve the concern about binary artifacts but will be some help. |
Hello @RafaelGSS! Nice! According to node's calendar the next meeting will be December 22 10AM in Brazil. Is that correct? If so, either me or my team colleagues can attend. |
@gabibguti I think we'll postpone this week's meeting to next year. Due to the holidays, most of our team won't be able to attend. Anyway, stay tuned at: #853 |
About the WASM binaries. Hi @mcollina! You've raised a very interesting point. We will not always be able to remove the binaries. If we do need the binaries, which seems the case, we can try make their generation and update more trustable. For example, by automating the generation as @mhdawson said. Further explanation... I will make sure we comment on this topic on the meeting. |
@gabibguti - not sure which context you are looking at this from but as an FYI this PR is related in that it allows distros to externalize the WASM and re-build them on their own. That of course does not address the issue for those using the community binaries and as you mentioned making the generation/update more trustable helps. I think it will also help the distro's as the better we document/manage the generation of these components the easier the rebuilds would be as well. |
@gabibguti I think you missed today's meeting. Could you join the next one? It will be Jan 19th |
@RafaelGSS Oh sorry! I didn't see the new issue regarding the meeting. Yes! I'll join the next one along with my team mates. |
As discussed in the Security WG's latest meeting, here are the steps to add Scorecard to node: How to add Scorecard GHAOn the repository page, you can open Actions tab, click "New workflow", search for "Scorecard" and click "Configure" to add the action. Configuring Scorecard to run on PRsYou can replace the workflow triggers by pull_request trigger. |
Adding to TSC agenda as an FYI. I think enabling this makes sense. Even if we enable per PR it won't block landing but should give us additional info in terms of any security implecations. |
Could we add this to Undici as well? |
Hey everyone, thanks for your time in yesterday's meeting. Unfortunately, I must issue a correction: at one point I said that Scorecard can monitor the main branch and release branches. This is unfortunately not the case. Scorecard only runs on the main ("default") branch. I was thinking of a single check which runs on all branches, but all others only scan the main branch. My apologies. |
@mcollina I've not looked but it sounds like it is per repo versus per org and in that case I think we should plan to enable for the repo's where it makes sense including undici. |
PRs on core: Note: please update the list |
@RafaelGSS PR opened: #873 |
As agreed in last meeting, I was working in this little script that can automate the process for collecting the scores from several repos and trigger alerts via issues. Here is the Github Action in the marketplace that I created. I can do a little demo (60 sec) in our next meeting #877 and discuss the next steps ;-) |
@mcollina We added the scorecard workflow on that repository. You can take a look at the result (alerts) in the Security tab. If you'r ok I can open a pull request on undici to add the OSSF scorecard workflow? |
First, I think |
What should I do exactly? |
It will be enabled by adding the OSSF scorecard workflow. I was going to say I could do it but I don't have the access. Here is the official instructions. Just the first time when clicking on |
The code scanning is working fine! I can see fresh results for undici and security-wg repos, See reporting |
Closing this issue as completed. Further updates in the Node.js organization will be made through #859. |
What is the problem this feature will solve?
Improve the project's security against supply-chain attacks.
Supply-chain attacks have been increasing over the years according to the sonatype State of the Software Supply-Chain report and given node's popularity it's a reasonable target.
What is the feature you are proposing to solve the problem?
Adding the OSSF Scorecard tool to identify supply-chain security improvements.
Scorecard checks for best practices such as if main branch is protected, if code is being reviewed in PRs and if binaries are being avoided. Below, you can see that sonatype uses Scorecard to check how projects are most vulnerable.
What alternatives have you considered?
None.
Additional Context
I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)
The text was updated successfully, but these errors were encountered: