git-proxy icon indicating copy to clipboard operation
git-proxy copied to clipboard

Published 20 hours ago verified publisher icon finos

chore(OSSF): update token permissions to improve ossf scorecard

Open laukik-target opened this issue 4 months ago • 6 comments

Description:

This PR aims to improve the repository's security posture by adhering to the principle of least privilege and enhancing the OSSF Scorecard score. The following changes have been made to reduce excessive permissions in GitHub Actions workflows and ensure a more secure CI/CD pipeline.

A small fix related to bringing up the git proxy locally is also fixed.

Issue: Bump OSSF score above 9.0 ⬆️

Should improve this score: image

Changes:

1. Updated token permissions: Scoped permissions at both the top-level and job level for workflows such as:

  • ci.yml: Restricted permissions to only contents: read, statuses: write as necessary.
  • codeql.yml: Added top-level permissions (contents: read, security-events: write) to ensure CodeQL can upload security events.
  • npm.yml: Scoped permissions to packages: write for publishing, with only contents: read for other operations.
  • pr-lint.yml: Limited PR-related workflows to pull-requests: write and statuses: write to reduce unnecessary permissions.
  • scorecard.yml: Scoped permissions to security-events: write and id-token: write for result publication and scorecard analysis.

2. Enhanced security:

  • Applied the principle of least privilege to limit the scope of token access.
  • Updated all workflows to ensure they use only the permissions necessary for their tasks, preventing unnecessary access to other GitHub components.

3. Improved OSSF Scorecard rating:

  • These changes directly address issues raised by the OSSF Scorecard tool, enhancing the repository’s security rating by ensuring token permissions follow best security practices.

Benefits:

  • Reduced risk of unauthorized access due to overly permissive tokens.
  • Enhanced overall security posture by minimizing the attack surface in workflows.
  • Improved transparency and maintainability by explicitly defining token permissions in each workflow.
  • Positive impact on OSSF Scorecard score.

Checklist: ✅Updated workflows with restrictive token permissions. ✅Addressed OSSF Scorecard recommendations for token permissions.

laukik-target avatar Oct 26 '24 19:10 laukik-target