Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable repo security options #283

Open
deeglaze opened this issue Mar 6, 2024 · 1 comment
Open

Enable repo security options #283

deeglaze opened this issue Mar 6, 2024 · 1 comment
Assignees
@joergroedel

Comments

@deeglaze
Copy link
Contributor

deeglaze commented Mar 6, 2024

The Open Source Scorecard run on this repo gives the following report

Note branch protection and unreviewed changes as the main problems.

RESULTS
-------
Aggregate score: 6.9 / 10

Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo  | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#binary-artifacts       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Branch-Protection      | branch protection not enabled  | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#branch-protection      |
|         |                        | on development/release         |                                                                                                                       |
|         |                        | branches                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests               | 13 out of 13 merged PRs        | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | CII-Best-Practices     | no effort to earn an OpenSSF   | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#cii-best-practices     |
|         |                        | best practices badge detected  |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10  | Code-Review            | found 1 unreviewed changesets  | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#code-review            |
|         |                        | out of 14 -- score normalized  |                                                                                                                       |
|         |                        | to 9                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | project has 11 contributing    | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#contributors           |
|         |                        | companies or organizations     |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected           | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Fuzzing                | project is fuzzed              | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#fuzzing                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#license                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 30 commit(s) and 1 issue       | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#maintained             |
|         |                        | activity found in the last 90  |                                                                                                                       |
|         |                        | days -- score normalized to 10 |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Packaging              | packaging workflow not         | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#packaging              |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   |                                                                                                                       |
|         |                        | to 0                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | SAST                   | SAST tool is not run on all    | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#sast                   |
|         |                        | commits -- score normalized to |                                                                                                                       |
|         |                        | 0                              |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10  | Security-Policy        | security policy file detected  | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#security-policy        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Signed-Releases        | no releases found              | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#signed-releases        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Token-Permissions      | detected GitHub workflow       | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#token-permissions      |
|         |                        | tokens with excessive          |                                                                                                                       |
|         |                        | permissions                    |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | 0 existing vulnerabilities     | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#vulnerabilities        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

Repro steps:

  1. Get a Github personal API token and store in $TOKEN
  2. Run
docker run -e GITHUB_AUTH_TOKEN="${TOKEN}" gcr.io/openssf/scorecard:stable --repo=github.com/coconut-svsm/svsm
@joergroedel joergroedel self-assigned this May 3, 2024
@joergroedel
Copy link
Member

I will look into enabling the OpenSSF scorecard checks. Thanks for bringing this up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joergroedel joergroedel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@deeglaze @joergroedel