git-proxy icon indicating copy to clipboard operation
git-proxy copied to clipboard

Published 20 hours ago verified publisher icon finos

chore(OSSF): update token permissions to improve ossf scorecard

Open laukik-target opened this issue 1 year ago • 6 comments

Description:

This PR aims to improve the repository's security posture by adhering to the principle of least privilege and enhancing the OSSF Scorecard score. The following changes have been made to reduce excessive permissions in GitHub Actions workflows and ensure a more secure CI/CD pipeline.

A small fix related to bringing up the git proxy locally is also fixed.

Issue: Bump OSSF score above 9.0 ⬆️

Should improve this score: image

Changes:

1. Updated token permissions: Scoped permissions at both the top-level and job level for workflows such as:

  • ci.yml: Restricted permissions to only contents: read, statuses: write as necessary.
  • codeql.yml: Added top-level permissions (contents: read, security-events: write) to ensure CodeQL can upload security events.
  • npm.yml: Scoped permissions to packages: write for publishing, with only contents: read for other operations.
  • pr-lint.yml: Limited PR-related workflows to pull-requests: write and statuses: write to reduce unnecessary permissions.
  • scorecard.yml: Scoped permissions to security-events: write and id-token: write for result publication and scorecard analysis.

2. Enhanced security:

  • Applied the principle of least privilege to limit the scope of token access.
  • Updated all workflows to ensure they use only the permissions necessary for their tasks, preventing unnecessary access to other GitHub components.

3. Improved OSSF Scorecard rating:

  • These changes directly address issues raised by the OSSF Scorecard tool, enhancing the repository’s security rating by ensuring token permissions follow best security practices.

Benefits:

  • Reduced risk of unauthorized access due to overly permissive tokens.
  • Enhanced overall security posture by minimizing the attack surface in workflows.
  • Improved transparency and maintainability by explicitly defining token permissions in each workflow.
  • Positive impact on OSSF Scorecard score.

Checklist: ✅Updated workflows with restrictive token permissions. ✅Addressed OSSF Scorecard recommendations for token permissions.

laukik-target avatar Oct 26 '24 19:10 laukik-target

CLA Signed

The committers listed above are authorized under a signed CLA.

  • :white_check_mark: login: laukik-target / name: Laukik (3f90e2a8ccd1384f87225f74c06c37edf119025b, 1e394c9d04ee9c896d5764fd002f6259d30a4e81, feb2db4b71017b8a286fa585258a9abd39aa611e, 673c109e7b93a41120f35d26fc6c06302f3941e9, 0fb941d967db7e391006b5eeaa4f06a4243fe51f, 22784a724c4a52712bf4127cf966d29814b3d618, 5e2b0c63a3b485d970ac883eae9e5aae6c7b5514, 01e9403e2f65c417820352ed511172bdcf4de91d, 55db7dac3ce7f1c936d6fb72129034c3989762b5, 46998090d90f49ee28e9bb414b3115211667d51f, 2a87487d8bb70ab893d04b2f8219649097a059d5)
  • :white_check_mark: login: JamieSlome / name: Jamie Slome (b6ff626328866916270d2cf6f57132e110940faa, e000c6f592d87f14402a7ef6dd9239ddf6d484c6, ef12a6628297fba4d05ed27e430d1f60c94ed813)
  • :white_check_mark: login: jescalada / name: Juan Escalada (71c6d92256ef0445885eca2dcf6de969e09ff90f)
  • :white_check_mark: login: coopernetes / name: Thomas Cooper (b7f26f32596811bdb52e734f5a8b9cce9d3e4e81)

linux-foundation-easycla[bot] avatar Oct 26 '24 19:10 linux-foundation-easycla[bot]

Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name Link
Latest commit 71c6d92256ef0445885eca2dcf6de969e09ff90f
Latest deploy log https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/686fc56ac4a0ce000811a634

netlify[bot] avatar Oct 26 '24 19:10 netlify[bot]

@JamieSlome I am a citi Employee, I Sent an authorization request as a Corporate Contributor for EasyCLA. Can you please approve it?

laukik-target avatar Oct 26 '24 19:10 laukik-target

@laukik-target - great PR ❤️ Can you re-open using commits created with your Citi e-mail address?

JamieSlome avatar Oct 29 '24 08:10 JamieSlome

@laukik-target - great PR ❤️ Can you re-open using commits created with your Citi e-mail address?

I guess, It is good to merge now.

laukik-target avatar Oct 29 '24 08:10 laukik-target

@JamieSlome Changes were done. Requesting for re-review & approval.

laukik-target avatar Oct 31 '24 14:10 laukik-target

@JamieSlome Can you please re-review and approve the PR

laukik-target avatar Nov 06 '24 05:11 laukik-target

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 77.41%. Comparing base (15c68a3) to head (71c6d92). :warning: Report is 196 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #763   +/-   ##
=======================================
  Coverage   77.41%   77.41%           
=======================================
  Files          55       55           
  Lines        2276     2276           
  Branches      255      255           
=======================================
  Hits         1762     1762           
  Misses        484      484           
  Partials       30       30

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov[bot] avatar Nov 08 '24 12:11 codecov[bot]

@laukik-target - are we able to re-base all of your 10 commits to use your Citi e-mail address instead? All 10 commits should use your public Citi e-mail address instead of the current Gmail address 👍 Let me know if you need help on how to do this.

JamieSlome avatar Nov 08 '24 12:11 JamieSlome

@laukik-target - are we able to re-base all of your 10 commits to use your Citi e-mail address instead? All 10 commits should use your public Citi e-mail address instead of the current Gmail address 👍 Let me know if you need help on how to do this.

@JamieSlome I squashed my commit to single one for clear understanding. And updated my email to citi email for my single commit but now EasyCLA check has failed.

Please help

laukik-target avatar Nov 08 '24 13:11 laukik-target

@JamieSlome
PR is ready to merge now. please check.

laukik-target avatar Nov 26 '24 18:11 laukik-target

@JamieSlome Can you please merge this PR

laukik-target avatar Dec 04 '24 17:12 laukik-target

@JamieSlome Can you please approve the PR

laukik-target avatar Jan 13 '25 14:01 laukik-target

@coopernetes @JamieSlome

Can you please approve the PR. I just fixed a linting issue in last commit.

laukik-target avatar Feb 19 '25 06:02 laukik-target

@JamieSlome @coopernetes
Can you please approve this PR

laukik-target avatar Apr 05 '25 17:04 laukik-target

@JamieSlome Can we get this merged

laukik-target avatar Jun 09 '25 20:06 laukik-target

@JamieSlome we may want to require the OSSF scorecard CI check before merging... Some kind of conditional check would be even better to prevent accidentally lowering the OSSF score below ~7.5 or so.

Edit: Not exactly possible since the OSSF scorecard only seems to run properly on main... We might want to double-check any changes to workflow files to prevent the score from accidentally going down.

jescalada avatar Jul 10 '25 14:07 jescalada

Closing this PR as the OSSF score for token permissions is already 10. Overextending the permissions will unfortunately lower the score...

image

jescalada avatar Aug 18 '25 04:08 jescalada