slsa-verifier icon indicating copy to clipboard operation
slsa-verifier copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

Improve Scorecard Score

Open melba-lopez opened this issue 2 years ago • 0 comments

Describe the bug Improve repository's OpenSSF Scorecard score (currently at 6.5)

To Reproduce docker run -e GITHUB_AUTH_TOKEN gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/slsa-framework/slsa-verifier --format=json > scorecard_slsa-framework_slsa-verifier.json

Expected behavior

  • Branch Protections could be improved
  • CII-Best-Practices Badge could be obtained
  • Project should be Fuzzed
  • All dependencies should be pinned via hash
  • Security Policy should be created
  • Token Permissions should follow principle of least priveledge

Screenshots image image image image image image

Additional context Attempted to upload the JSON file, but github does not allow me to. Related to recommendation of securing our repos: https://github.com/slsa-framework/slsa/issues/424

melba-lopez avatar Jul 14 '22 21:07 melba-lopez