Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable OpenSSF Scorecard to enhance security practices across the project #1592

Open
harshitasao opened this issue Jul 8, 2024 · 3 comments · May be fixed by knative/serving#15473
Open
Assignees

Comments

@harshitasao
Copy link

Classify what kind of issue this is:
/kind feature

Description:

Hi, I'm Harshita. I’m working with CNCF and the Google Open Source Security Team for the GSoC 2024 term. We are collaborating to enhance security practices across various CNCF projects. The goal is to improve security for all CNCF projects by both using OpenSSF Scorecards and implementing its security improvements.

The Open Source Security Foundation (OpenSSF) Scorecard is a tool designed to evaluate the security posture of open-source projects. This has the Scorecard GitHub Action, which automates the process by running security checks on the GitHub repository. By integrating this Action into the repository's workflow, developers can continuously monitor the project’s security posture. The Scorecard checks cover various security best practices and provide scores for multiple categories. Some checks include Code Reviews, Branch Protection, Signed Releases, etc.

The workflow runs on every change in the main branch. It publishes the Scorecard checks' results to the project's security dashboard and includes suggestions on how to solve any issues. This Action has already been adopted by 1800+ projects, with prominent users like Tensorflow, Angular, sos.dev, deps.dev, and many CNCF projects.

Once the Scorecard GitHub Action is set up and running, the results can be displayed as a badge in the repository's README file. This badge serves as a quick indicator of the project's security posture, helping users and contributors evaluate the project's security practices quickly.

Why is this needed:

The OpenSSF Scorecard improves open-source project's security by providing automated, transparent assessments of their security practices. It will help you identify vulnerabilities, adhere to best practices, and continuously enhance your security posture, increasing user trust and reducing the risk of security exploits.

I'll be the one to create the PR to add the scorecard GitHub action, and I will also work with you to remediate the identified vulnerabilities. I'll go through each scorecard check to see where the score has dropped and how it can be improved.

Would you be interested in a PR which adds this Action?

/cc @joycebrum @diogoteles08 @pnacht @nate-double-u

@dprotaso dprotaso transferred this issue from knative/serving Jul 8, 2024
Copy link

knative-prow bot commented Jul 8, 2024

@harshitasao: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

In response to this:

Classify what kind of issue this is:
/kind feature

Description:

Hi, I'm Harshita. I’m working with CNCF and the Google Open Source Security Team for the GSoC 2024 term. We are collaborating to enhance security practices across various CNCF projects. The goal is to improve security for all CNCF projects by both using OpenSSF Scorecards and implementing its security improvements.

The Open Source Security Foundation (OpenSSF) Scorecard is a tool designed to evaluate the security posture of open-source projects. This has the Scorecard GitHub Action, which automates the process by running security checks on the GitHub repository. By integrating this Action into the repository's workflow, developers can continuously monitor the project’s security posture. The Scorecard checks cover various security best practices and provide scores for multiple categories. Some checks include Code Reviews, Branch Protection, Signed Releases, etc.

The workflow runs on every change in the main branch. It publishes the Scorecard checks' results to the project's security dashboard and includes suggestions on how to solve any issues. This Action has already been adopted by 1800+ projects, with prominent users like Tensorflow, Angular, sos.dev, deps.dev, and many CNCF projects.

Once the Scorecard GitHub Action is set up and running, the results can be displayed as a badge in the repository's README file. This badge serves as a quick indicator of the project's security posture, helping users and contributors evaluate the project's security practices quickly.

Why is this needed:

The OpenSSF Scorecard improves open-source project's security by providing automated, transparent assessments of their security practices. It will help you identify vulnerabilities, adhere to best practices, and continuously enhance your security posture, increasing user trust and reducing the risk of security exploits.

I'll be the one to create the PR to add the scorecard GitHub action, and I will also work with you to remediate the identified vulnerabilities. I'll go through each scorecard check to see where the score has dropped and how it can be improved.

Would you be interested in a PR which adds this Action?

/cc @joycebrum @diogoteles08 @pnacht @nate-double-u

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@dprotaso
Copy link
Member

dprotaso commented Jul 8, 2024

transferred to the community repo - probably worth discussing more generally with @evankanderson and @davidhadas who run the security wg group

@davidhadas
Copy link
Contributor

@harshitasao hi,
As a first impression - Sounds good!!

I will spend some more time learning about the checks later.
I assume a project may have some flexibility in tuning which checks are made etc. This may be needed for the security score to make sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants