cue icon indicating copy to clipboard operation
cue copied to clipboard
verified publisher icon cue-lang

Enable the OpenSSF Scorecard Github Action

Open joycebrum opened this issue 3 years ago • 0 comments

Hello, I am Joyce and I'm working on behalf of Google and the Open Source Security Foundation to help essential open-source projects improve their supply-chain security. Given the CUE Language relevance and impact in many projects, the OpenSSF has identified it as one of the 100 most critical open source projects.

Is your feature request related to a problem? Please describe. According to Open Source Security and Risk Analysis Report, 84% of all codebases have at least one vulnerability, with an average of 158 per codebase. The majority have been in the code for more than 2 years and have documented solutions available.

Even in large tech companies, the tedious process of reviewing code for vulnerabilities falls down the priority list, and there is little insight into known vulnerabilities and solutions that companies can draw on.

That’s where the OpenSSF tool called Scorecards is helping. Its focus is to understand the security posture of a project and assess the risks that the dependencies could introduce.

Describe the solution you'd like

Scorecards runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, in partnership with GitHub.

To simplify maintainers' lives, the OpenSSF has also developed the Scorecard GitHub Action. It is very lightweight and runs on every change to the repository's main branch. The results of its checks are available on the project's security dashboard, and include suggestions on how to solve any issues (see examples in the Additional context). The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already.

This way, the OpenSSF Scorecard Github Action could help you to increase the security of the repository, providing some guarantee that it is (mostly) safe from malicious sabotage.

Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README, which is a great way to show off your hard work to improve security best practices and to help raising the collective level of open source security.

Any concerns or doubts please let me know.

Additional context Code scanning dashboard with multiple alerts, including Code-Review and Token-Permissions

Detail of a Token-Permissions alert, indicating the specific file and remediation steps

joycebrum avatar Sep 20 '22 19:09 joycebrum