codeowners-generator icon indicating copy to clipboard operation
codeowners-generator copied to clipboard

Published 20 hours ago verified publisher icon gagoar

Improve security measures (with the help of OpenSSF Scorecard)

Open gustavkj opened this issue 2 years ago • 4 comments
trafficstars

Lately, I've been looking a bit at OpenSSF Scorecard, it is an security assessment for open source projects.

You can see the current score here: https://securityscorecards.dev/viewer/?uri=github.com/gagoar/codeowners-generator

I think there are some fairly easy improvements that can be done, and there are tools to help. Below are the main improvements, that we can split off into separate issues (if this sounds good):

  • [ ] Adjust Github Workflow token permissions (principle of least privilege)
  • [ ] Add a security policy (SECURITY.md) and turn on private vulnerability reporting
  • [ ] Pin Workflow versions and make Renovate update them
  • [ ] Add tool for static code analysis, CodeQL
  • [ ] Optional: Add OpenSSF Scorecard workflow, so the score is updated more often
  • [ ] Optional: Add OpenSSF Scorecard badge to the readme

gustavkj avatar Nov 15 '23 17:11 gustavkj

Any thoughts, @gagoar ?

gustavkj avatar Nov 15 '23 17:11 gustavkj

I've done this at work. Most of it is okay. Some notes tho:

  • Oss has a limited machine time per PR. CodeQL is a bit heavy. There are no objections here. Keep in mind Renovate craziness might get us some queues going that slow us down.
  • Pinning versions is something I usually do. It could be a quick review to see what's not pinned.
  • The least Permissions on workflows is a tricky one. The ones we use to publish are the ones I find the most tricky to test. Everything else can scope to read-only, right?

I will be sure to take the workflow versions to be pinned as soon as you are done with the latest updates.

gagoar avatar Nov 15 '23 17:11 gagoar

Sound good! :+1:

I will take the workflows versions to be pinned as soon as you are done with the latest updates.

I think adding this Renovate preset will take care of that, probably in one PR.

You can also use this tool that OpenSSF links to: https://app.stepsecurity.io/securerepo

gustavkj avatar Nov 15 '23 17:11 gustavkj

Sound good! 👍

I will take the workflows versions to be pinned as soon as you are done with the latest updates.

I think adding this Renovate preset will take care of that, probably in one PR.

You can also use this tool that OpenSSF links to: https://app.stepsecurity.io/securerepo

done ! https://github.com/gagoar/codeowners-generator/pull/385

gagoar avatar Nov 15 '23 17:11 gagoar