scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

Feature: incorporate CLOMonitor-style exemptions

Open lizrice opened this issue 2 years ago • 15 comments

As a CNCF project we've been encouraged to add both CLOMonitor and OpenSSF Scorecard badges, and there's quite a lot of overlap between the security-related checks that CLOMonitor runs, and the Scorecard checks. We reviewed the results from CLOMonitor and found some false positives, for which we've been able to document exemptions so that they don't appear as failed tests. (We really don't want to display a badge that portrays the project as a lot less secure than it really is!)

It would be great if those same exemptions could be pulled in by Scorecard as well. Ideally there would be just one exemptions file per repo acting as the source of truth (i.e. scorecard could re-use the checks that it finds in a .clomonitor file).

lizrice avatar Jan 24 '23 12:01 lizrice

Hey, we've been thinking of creating a config file as well. Thanks for the link, I was not aware of CLOMonitor. Is it a CNCF project?

laurentsimon avatar Jan 26 '23 02:01 laurentsimon

Yes: https://github.com/cncf/clomonitor

lizrice avatar Jan 27 '23 08:01 lizrice

Seems that CLOmonitor pulls in the tests from Scorecards, so maybe that's where the exemptions should live too. Would be great if the schema for documenting those exemptions could be reused though to save reinventing the wheel

lizrice avatar Feb 01 '23 22:02 lizrice

Stale issue message - this issue will be closed in 7 days

github-actions[bot] avatar Sep 17 '23 01:09 github-actions[bot]

Can I reopen this to get comment from the team?

lizrice avatar Sep 25 '23 06:09 lizrice

Hmm, thought we had disabled the auto close in #3493

spencerschrock avatar Sep 25 '23 14:09 spencerschrock

@gabibguti something to consider with the maintainer annotation work

spencerschrock avatar Sep 25 '23 14:09 spencerschrock

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Nov 25 '23 01:11 github-actions[bot]

Hi, have there been any updates on this issue? I am working on adding the OpenSSF Scorecard badge to Cilium README, and fixing this would help address the issues mentioned here.

cc @spencerschrock

sandipanpanda avatar Jan 10 '24 16:01 sandipanpanda

Hi, have there been any updates on this issue? I am working on adding the OpenSSF Scorecard badge to Cilium README, and fixing this would help address the issues mentioned here.

It's on our roadmap for this quarter. We haven't entirely decided how this will display in terms of the badge.

spencerschrock avatar Jan 10 '24 21:01 spencerschrock

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Mar 22 '24 01:03 github-actions[bot]

FYI @caniszczyk

justaugustus avatar Mar 28 '24 19:03 justaugustus

https://github.com/cncf/clomonitor/issues/1466

caniszczyk avatar Mar 28 '24 19:03 caniszczyk

For those tracking this issue, we're getting conversations on the books with the CLOMonitor maintainers to decide on the best integration path for folks leveraging either or both tools.

Stay tuned!

justaugustus avatar Mar 28 '24 19:03 justaugustus

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar May 28 '24 01:05 github-actions[bot]