github-actions-demo icon indicating copy to clipboard operation
github-actions-demo copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

Improve Scorecard score

Open melba-lopez opened this issue 2 years ago • 0 comments

Describe the bug I know this is a demo repository, but if we are expecting people to install on their own systems, we should try to follow security best practices as well. If the demo is no longer valid, we could either repurpose for future demos or deprecate the repo.

Improve repository's OpenSSF Scorecard score (currently at 4.2)

To Reproduce docker run -e GITHUB_AUTH_TOKEN gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/slsa-framework/github-actions-demo --format=json > scorecard_slsa-framework_github-actions-demo.json

Expected behavior

  • Branch Protections could be improved
  • CII-Best-Practices Badge could be obtained
  • Project should always have reviews/CI-Tests when possible
  • Project should be Fuzzed
  • Dependencies should be updated regularly with automated tooling
  • Repo is not maintained --> may be as a result of it being a deprecated repo
  • All dependencies should be pinned via hash
  • SAST Tool should be used to scan upon code commits
  • Security Policy should be created
  • Token Permissions should follow principle of least privilege

Screenshots image image image image image image

Additional context Attempted to upload the JSON file, but github does not allow me to. Related to recommendation of securing our repos: https://github.com/slsa-framework/slsa/issues/424

melba-lopez avatar Jul 14 '22 21:07 melba-lopez