semaphore icon indicating copy to clipboard operation
semaphore copied to clipboard
verified publisher icon semaphore-protocol

Improve security practices

Open sripwoud opened this issue 1 year ago • 2 comments

See https://discord.com/channels/943612659163602974/1006997078259552346/1237782683229356173 (PSE internal discord).

Here are the scorecard results of the semaphore repo: 4.3/10 (scorecard.txt)

I don't think the goal is to get a 10/10. But there are probably some quick wins we can implement like:

  • [ ] Improve branch protection rules
  • [ ] Add a dependency update/scan tool bot I like using socket-security on some of my repos
  • [ ] Pin some dependencies by hash
  • [ ] Add a security policy file
  • [ ] Restrict GH workflow tokens permissions
  • [ ] Address existing vulnerabilities

See links in report for more explanation and mitigations

sripwoud avatar May 20 '24 09:05 sripwoud

Thank you very much for pointing this out @sripwoud! Super important 🙏🏽

cedoor avatar May 21 '24 00:05 cedoor

@sripwoud We should give priority to this

cedoor avatar Oct 03 '24 17:10 cedoor