example-package icon indicating copy to clipboard operation
example-package copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

Improve Scorecard Score

Open melba-lopez opened this issue 3 years ago • 0 comments

Describe the bug I know this is an example repository, but if we are expecting people to install on their own systems, we should try to follow security best practices as well. If the example is no longer valid, we could either repurpose or deprecate the repo.

Improve repository's OpenSSF Scorecard score (currently at 4.1)

To Reproduce docker run -e GITHUB_AUTH_TOKEN gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/slsa-framework/example-package --format=json > scorecard_slsa-framework_example-package.json

Expected behavior

  • Branch Protections could be improved
  • CII-Best-Practices Badge could be obtained
  • Project should always have reviews/CI-Tests when possible
  • Project should be Fuzzed
  • Dependencies should be updated regularly with automated tooling
  • All dependencies should be pinned via hash
  • SAST Tool should be used to scan upon code commits
  • Security Policy should be created
  • Token Permissions should follow principle of least privilege

Screenshots image image image image image image image

Additional context Attempted to upload the JSON file, but github does not allow me to. Related to recommendation of securing our repos: https://github.com/slsa-framework/slsa/issues/424

melba-lopez avatar Jul 14 '22 21:07 melba-lopez