-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OpenSSF Scoreboard analysis #9
base: master
Are you sure you want to change the base?
Conversation
Hi, I don't think this is relevant for this kind of project, I tried it on the repo and got the following:
This is an offensive tool to help discover vulnerabilities, not a tool that will be deployed and executed on some servers where users can interact with it. However, based on the output of the tool I've enabled |
Yes all scoreboard recommendations are not mandatory: you won't find any repository with a 10/10. As you say it already provided a good value with dependabot !
As an end-user of octoscan I expect the dependency to improve on its own security (I don't use it as a red team tool but for continuous assessment in a blue team effort). |
Signed releases is a good idea, do you have examples of how to do this ? For pinned dependencies it's too long to do for each action I don't want to loose time on this. I've added a weak branch protection and for token permissions same I don't want to loose time on this sorry :) |
Renovate instead of dependabot can do that with the best-practices preset (or manually configured). It keeps the comment after the commit hash updated too, with the same granularity |
dependabot can do it too. What is the value of renovate here ? |
SLSA has an official GitHub Action and documentation for the Go builder. I use it often, with an example here. |
Do I first need to pin the commit to get this feature ? |
Ok I'll take a look thank you ! |
Dependabot and Renovate will work on actions pinned by the gitoid (the hash) followed by the comment of the corresponding tag. It is not mandatory for them to work, but is a good practice for integrity checks: a git tag is not immutable, while a commit is. To sum it up, current dependabot configuration will open PRs for dependency updates, whatever the pin strategy (either per-tag or per-gitoid). |
Renovate can do the conversion, or pin a semver up to patch instead of only major. That's what I was trying to say. It was in response to saying it would be really long to change everywhere |
Currently, octoscan provides great audit value, but has no audit itself.
This PR brings the OpenSSF Scoreboard as a continuous security audit tool. It should help contributors that are non-developers but have a security profile to give them guidelines on how to help octoscan improve its security practices and posture.
My last manually-triggered audit showed current octoscan scores 4.7/10 which highlights plenty room for improvement, but no big security defect. The expected behavior with Scoreboard is to raise both the score thus the security practices and the security knowledge of the community.
Moreover it has a cool badge 😄
Dependencies are pinned as a good practice from OpenSSF.