Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Repository security settings can be strengthened. #5354

Open
2 tasks done
amaranthjinn opened this issue Oct 29, 2024 · 1 comment
Open
2 tasks done

Repository security settings can be strengthened. #5354

amaranthjinn opened this issue Oct 29, 2024 · 1 comment
Assignees
@MaxJPRey
Labels
bug Something isn't working

Comments

@amaranthjinn
Copy link

Before submitting the issue

  • I have searched among the existing issues
  • I am using a Python virtual environment

Description of the bug

Repository security settings can be strengthened.

Pyaedt is a critical dependency for our project (really appreciate all your works!), however, we are concerned about the risk of bad changes making into the repository, introducing vulnerabilities into our project given how prevalent software supply chain attacks have become.

We used the tool https://github.com/ossf/scorecard?tab=readme-ov-file#using-scorecard to help us assess the risk of using pyaedt. It suggested that some areas seem to be weak against bad behaviors:

  1. branch protection - no branch protection enabled for release/0.8; required approving review count is 1 on branch 'main'; code owners review is not required on branch 'main'. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection for more details.

  2. token permission - no topLevel permission defined: .github/workflows/ci_cd.yml:1; no topLevel permission defined: .github/workflows/label.yml:1; no topLevel permission defined: .github/workflows/manual_draft.yml:1; no topLevel permission defined: .github/workflows/nightly-docs.yml:1; no topLevel permission defined: .github/workflows/unit_test_prerelease.yml:1. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions for more details.

  3. signed-releases - The release artifacts are not signed, see https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases.

Those seem to be concerns that can be addressed fairly quickly, and can help increase the trust of the package so much. Really appreciate it if the settings can be strengthened soon.

Steps To Reproduce

See https://github.com/ossf/scorecard/tree/main?tab=readme-ov-file#scorecard-command-line-interface for instruction on running the tool.

Run security scan against the pyaedt repo:
scorecard --repo=https://github.com/ansys/pyaedt --checks=Dangerous-Workflow,Maintained,Vulnerabilities,Binary-Artifacts,Branch-Protection,Code-Review,Token-Permissions,Signed-Releases,Dependency-Update-Tool --show-details

Which Operating System are you using?

Linux

Which Python version are you using?

3.11

Installed packages

pyaedt==0.8.11
@amaranthjinn amaranthjinn added the bug Something isn't working label Oct 29, 2024
@MaxJPRey MaxJPRey self-assigned this Oct 29, 2024
@SMoraisAnsys
Copy link
Collaborator

Thanks for your feedback. We'll have a look on the things you mentioned !

@amaranthjinn amaranthjinn changed the title Bug located in ... Repository security settings can be strengthened. Nov 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MaxJPRey MaxJPRey

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@amaranthjinn @MaxJPRey @SMoraisAnsys