Enable OpenSSF Scorecard to enhance security practices across the project

[harshitasao]

Hi, I'm Harshita. I’m working with CNCF and the Google Open Source Security Team for the GSoC 2024 term. We are collaborating to enhance security practices across various CNCF projects. The goal is to improve security for all CNCF projects by both using OpenSSF Scorecards and implementing its security improvements.

The Open Source Security Foundation (OpenSSF) Scorecard is a tool designed to evaluate the security posture of open-source projects. This has the Scorecard GitHub Action, which automates the process by running security checks on the GitHub repository. By integrating this Action into the repository's workflow, developers can continuously monitor the project’s security posture. The Scorecard checks cover various security best practices and provide scores for multiple categories. Some checks include Code Reviews, Branch Protection, Signed Releases, etc.

The workflow runs on every change in the main branch. It publishes the Scorecard checks' results to the project's security dashboard and includes suggestions on how to solve any issues. This Action has already been adopted by 1800+ projects, with prominent users like Tensorflow, Angular, sos.dev, deps.dev, and many CNCF projects.

Once the Scorecard GitHub Action is set up and running, the results can be displayed as a badge in the repository's README file. This badge serves as a quick indicator of the project's security posture, helping users and contributors evaluate the project's security practices quickly.

Why is this needed:

The OpenSSF Scorecard improves open-source project's security by providing automated, transparent assessments of their security practices. It will help you identify vulnerabilities, adhere to best practices, and continuously enhance your security posture, increasing user trust and reducing the risk of security exploits.

I'll be the one to create the PR to add the scorecard GitHub action, and I will also work with you to remediate the identified vulnerabilities. I'll go through each scorecard check to see where the score has dropped and how it can be improved.

Would you be interested in a PR which adds this Action?

/cc @joycebrum @diogoteles08 @pnacht @nate-double-u

[jbw976]

Very cool @harshitasao, great to see this initiative for you to tackle this across CNCF projects this summer in GSoC 💪

We had a tracking task list item for "OpenSSF Scorecard badge" in https://github.com/crossplane/crossplane/issues/4963, so I've just replaced it with your more fleshed out issue instead.

This is also good timing while our CNCF Graduation proposal https://github.com/cncf/toc/pull/1254 is still waiting to be reviewed 😉

I'll be the one to create the PR to add the scorecard GitHub action, and I will also work with you to remediate the identified vulnerabilities.

Feel free to reach out any time for us to support your efforts - looking forward to them and thank you very much! 🙇‍♂️

[harshitasao]

Scorecard badge PR - #5233

[jbw976]

As the v1.18 milestone is winding down, I just wanted to circle back to you here @harshitasao and thank you for your efforts so far! I want to give this some proper attention soon, but that would be hopefully in the v1.19 milestone - I've updated the issue metadata to reflect that. Sorry for the delay in reviewing/stewarding your work, but thank you very much for everything you've done so far - it's appreciated 🙇‍♂️

[nate-double-u]

Hi @jbw976, just a note: @harshitasao was a Google Summer of Code mentee. Since the term is over, she may have less availability than when she opened this issue.

[github-actions[bot]]

Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as stale because it has had no activity in the last 90 days. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.