protolint
protolint copied to clipboard
yoheimuta
ci: add ossf/scorecard github action
This adds the github action for https://github.com/ossf/scorecard. I followed the same template used by the docker compose repository in https://github.com/docker/compose/pull/9846 and https://github.com/docker/compose/issues/9845.
I ran a manual scan using the CLI instructions on the scorecards website and this is what it produced. You can run it with --show-details to see the full details of each check result.
docker run -e GITHUB_AUTH_TOKEN=<public_repo_token> gcr.io/openssf/scorecard:stable --repo=github.com/yoheimuta/protolint
Starting [Maintained]
Starting [Signed-Releases]
Starting [Dependency-Update-Tool]
Starting [CII-Best-Practices]
Starting [Vulnerabilities]
Starting [Branch-Protection]
Starting [Contributors]
Starting [Packaging]
Starting [Pinned-Dependencies]
Starting [Code-Review]
Starting [Dangerous-Workflow]
Starting [License]
Starting [Binary-Artifacts]
Starting [Token-Permissions]
Starting [Security-Policy]
Starting [Fuzzing]
Starting [SAST]
Starting [CI-Tests]
Aggregate score: 5.6 / 10
Check scores:
Finished [Signed-Releases]
Finished [Dependency-Update-Tool]
Finished [CII-Best-Practices]
Finished [Vulnerabilities]
Finished [Branch-Protection]
Finished [Pinned-Dependencies]
Finished [Code-Review]
Finished [Dangerous-Workflow]
Finished [License]
Finished [Binary-Artifacts]
Finished [Contributors]
Finished [Packaging]
Finished [Token-Permissions]
Finished [Security-Policy]
Finished [Fuzzing]
Finished [SAST]
Finished [CI-Tests]
Finished [Maintained]
RESULTS
-------
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 6 / 10 | Branch-Protection | branch protection is not | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#branch-protection |
| | | maximal on development and all | |
| | | release branches | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests | 10 out of 10 merged PRs | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#ci-tests |
| | | checked by a CI test -- score | |
| | | normalized to 10 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 6 / 10 | Code-Review | found 4 unreviewed changesets | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#code-review |
| | | out of 10 -- score normalized | |
| | | to 6 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 4 contributing | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#contributors |
| | | companies or organizations | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#fuzzing |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License | license file detected | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#license |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained | 15 commit(s) and 5 issue | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 10 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Packaging | packaging workflow detected | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#packaging |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | |
| | | to 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | SAST | SAST tool is run on all | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#sast |
| | | commits | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#security-policy |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Signed-Releases | Project has not signed or | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#signed-releases |
| | | included provenance with any | |
| | | releases. | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | detected GitHub workflow | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#token-permissions |
| | | tokens with excessive | |
| | | permissions | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Vulnerabilities | 14 existing vulnerabilities | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
I'm guessing that maybe not every check would be useful for this project, but there are definitely some small changes that can be made to get easy wins on project security.