Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve SecurityWG Scorecard #884

Closed
4 of 5 tasks
RafaelGSS opened this issue Feb 21, 2023 · 13 comments · Fixed by #906
Closed
4 of 5 tasks

Improve SecurityWG Scorecard #884

RafaelGSS opened this issue Feb 21, 2023 · 13 comments · Fixed by #906

Comments

@RafaelGSS
Copy link
Member

RafaelGSS commented Feb 21, 2023

Following https://github.com/nodejs/security-wg/blob/main/tools/ossf_scorecard/report.md + Code Scanning, we have a few security concerns to mitigate in this repository and then improve our score. Let's use this issue to keep track of the progress:

  • Token-Permissions
    • .github/workflows/ossf-scorecard-reporting.yml:11
    • score is 0: topLevel 'contents' permission set to 'write'
      Remediation tip: update your workflow using https://app.stepsecurity.io
      Click Remediation section below for further remediation help

    • .github/workflows/validate-vulnerability.yml:1
    • score is 0: no topLevel permission defined
      Remediation tip: update your workflow using https://app.stepsecurity.io
      Click Remediation section below for further remediation hel

  • Pinned-Dependencies
    • All .yml files.
  • SAST Tool
  • Fuzzing
  • Code-Review
@UlisesGascon
Copy link
Member

I am happy to help with some PRs for the tokens and pinned dependencies. Regarding SAST Tool I can enable CodeQL from the github settings in few minutes.

Regarding fuzzing maybe @fraxken can lead it :)

@shubham-y
Copy link

I would like to work on this issue

@RafaelGSS
Copy link
Member Author

@shubham-y feel free to pick one item from the list and make the PR.

@varunsh-coder
Copy link

Hi All, I am the founder of StepSecurity. We are developing a few tools like app.stepsecurity.io to simplify developers' work and increase the OpenSSF Scorecard score using automation. Please let me know if I can help in any way.

I am curious if this issue is only for this repo or to increase the score across nodejs repos?

@RafaelGSS
Copy link
Member Author

Currently, only this repo. The plan is to perform this for all the repos in the org.

@fraxken
Copy link
Member

fraxken commented Apr 15, 2023

If we fix remaining issues with token permissions the score will up to ~9.2

For fuzzing I don't think that applicable here.

We can also improve the score by completing the CII-Best-Practices program (but again not sure if that useful for this repository?).

@UlisesGascon
Copy link
Member

We can explore how CII-Best-Practices works in this repo and then try to replicate it for Node and Undici.

I completed the CII-Best-Practices for one of the projects that I maintain and it is quite long process but super interesting as leads to more opportunities to discuss and improve outside the automatic scoring.

@RafaelGSS
Copy link
Member Author

CII-Best-Practices seems interesting.

@RafaelGSS
Copy link
Member Author

UPDATE From #961

Repository Commit Score Date Difference Report Link StepSecurity Link
nodejs/security-wg 436ca24 8.2 2023-04-24T22:24:57Z 0.1 Full Report Fix it

@UlisesGascon
Copy link
Member

UPDATE from #981

Repository Commit Score Date Difference Report Link StepSecurity Link
nodejs/security-wg b3757f5 8.2 2023-05-09T11:18:48Z 0 Full Report Fix it

@github-actions
Copy link
Contributor

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

@github-actions github-actions bot added the stale label Aug 11, 2023
@RafaelGSS RafaelGSS removed the stale label Aug 11, 2023
Copy link
Contributor

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

@github-actions github-actions bot added the stale label Nov 10, 2023
@RafaelGSS RafaelGSS removed the stale label Nov 10, 2023
@RafaelGSS
Copy link
Member Author

I'm closing it since we've achieved our goal of improving the scorecard and now, we're monitoring the score on each meeting.

@RafaelGSS RafaelGSS unpinned this issue Mar 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants