Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Scorecard security checks #32

Closed
behnazh opened this issue Nov 1, 2021 · 2 comments
Closed

Add Scorecard security checks #32

behnazh opened this issue Nov 1, 2021 · 2 comments
Labels
enhancement New feature or request security Security related features or bugs

Comments

@behnazh
Copy link
Collaborator

behnazh commented Nov 1, 2021

It would be nice to add Scorecard analysis to this repo as a GitHub Actions workflow to compute the security score. Scorecard runs various simple checks, e.g., whether Branch-Protection and Security-Policy exist in the repo, and computes a score of 0-1.

Here is the result that I get by locally running Scorecard:

RESULTS
-------
Finished [Binary-Artifacts]
Finished [Maintained]
Finished [Packaging]
Finished [CI-Tests]
Finished [Pinned-Dependencies]
Finished [Signed-Releases]
Finished [Vulnerabilities]
Finished [Branch-Protection]
Finished [Contributors]
Finished [Fuzzing]
Finished [Token-Permissions]
Finished [Security-Policy]
Finished [CII-Best-Practices]
Finished [Code-Review]
Finished [Dependency-Update-Tool]
Finished [SAST]
Aggregate score: 4.5 / 10

Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo  | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#binary-artifacts       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10  | Branch-Protection      | branch protection is not       | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all |                                                                                                                       |
|         |                        | release branches               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests               | 14 out of 14 merged PRs        | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | CII-Best-Practices     | no badge found                 | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#cii-best-practices     |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10  | Code-Review            | GitHub code reviews found for  | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#code-review            |
|         |                        | 13 commits out of the last 14  |                                                                                                                       |
|         |                        | -- score normalized to 9       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Contributors           | 0 different companies found -- | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#contributors           |
|         |                        | score normalized to 0          |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected           | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Fuzzing                | project is not fuzzed in       | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#fuzzing                |
|         |                        | OSS-Fuzz                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 6 / 10  | Maintained             | 8 commit(s) found in the last  | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#maintained             |
|         |                        | 90 days -- score normalized to |                                                                                                                       |
|         |                        | 6                              |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Packaging              | no published package detected  | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#packaging              |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 5 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   |                                                                                                                       |
|         |                        | to 5                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | SAST                   | SAST tool is not run on all    | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#sast                   |
|         |                        | commits -- score normalized to |                                                                                                                       |
|         |                        | 0                              |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Security-Policy        | security policy file not       | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#security-policy        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Signed-Releases        | 0 out of 2 artifacts are       | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#signed-releases        |
|         |                        | signed -- score normalized to  |                                                                                                                       |
|         |                        | 0                              |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Token-Permissions      | non read-only tokens detected  | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#token-permissions      |
|         |                        | in GitHub workflows            |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | no vulnerabilities detected    | https://github.com/ossf/scorecard/blob/54f1429eaa39592e61201497b108176aa2e545cc/docs/checks.md#vulnerabilities        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
@behnazh behnazh added enhancement New feature or request security Security related features or bugs labels Nov 1, 2021
@jenstroeger
Copy link
Owner

I’m in full support of this, and it looks like they provide the Github Action also. Looks like some of the scores become only relevant once users begin to build out this cookiecutter, though?

@behnazh behnazh mentioned this issue Jan 18, 2022
Merged
@jenstroeger
Copy link
Owner

Commit b72d1ae.

@jenstroeger jenstroeger mentioned this issue Jun 24, 2022
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request security Security related features or bugs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@behnazh @jenstroeger