Feature: better remediation steps #1850
Comments
Adding more details to the above options:
@zwass since you originally requested this, please share insights on what would work best for you/ ideas to improve these options. |
|
@varunsh-coder for (1), do you already have an API we could use now? (app.stepsecurity.io/secureworkflows?q=xxx)? |
Not yet. I will create a work item for it. It should be doable in a few days time. I will get back once it is implemented. |
|
Fyi, that's where we create the markdown https://github.com/ossf/scorecard/blob/main/pkg/sarif.go#L397. Feel free to try things it and see what looks best to embed the link. |
|
we could also add it in https://github.com/ossf/scorecard/blob/main/pkg/sarif.go#L436 which is closer to the code highlighted by GitHub in the dashboard |
|
Support for point 1 has been added. The format of the website is https://app.stepsecurity.io/secureworkflow/:owner/:repo/:workflowname/:branch Here are couple of examples: After the page loads with the fixed workflow, the user can uncheck options and click "secure workflow" button to change options. Let me know if there is feedback, I can change the inputs/ outputs as required. For points 2 and 3, I believe this support does not exist as of now, as per issue github/codeql-action#1043. We could still place fixed workflow in the SARIF output to see how it looks. |
|
Looks great. Since this is for token permissions and pinning, could we disable the hardened runner for this use case? Maybe via a a |
Yes, that should be easy to do. Will implement and get back. |
This is done. The format is https://app.stepsecurity.io/secureworkflow/:owner/:repo/:workflowname/:branch?enable=permissions,pin Here are couple of examples: For completeness, if someone wanted to all add If the workflow cannot be fetched, because path is wrong, or it is a private repo, an error message is shown. Let me know if there is other feedback. |
|
LGTM. How would you you like to proceed? Do you want to take a stab at the UI for the Action (#1850 (comment) and #1850 (comment)) or you'd like us to look into it? It would be great if we could have this for the next Action release, which is almost there ossf/scorecard-action#97 |
@laurentsimon would be great if you or another maintainer can integrate it. w.r.t the options, both look good. Having it display closer to the code #1850 (comment)) will show the developer that there is an easy way to solve it, which should increase fix rate. |
|
OK, tracked in ossf/scorecard-action#97 |
|
One of the users got redirected to app.stepsecurity.io, but it was a no-op for them. Here is the link they got: What is the expectation in this case? As part of the fix, should app.stepsecurity.io re-organize the permissions and move the |
I think that would be great, yes. |
|
I wanted to share some updates on automated remediations. https://github.com/step-security/secure-workflows now
Both these fixes increase the Scorecard score. Each option is optional, and the UI shows which improves the Scorecard score. Instead of fixing one file at a time, there is an option to scan all files in the repo for remediations and apply them together using a PR. PR is created using a fork, and no App installation is needed. Shortly, the following remediations will be added:
Please let me know if there is any feedback or questions. Thanks! |
|
This issue is stale because it has been open for 60 days with no activity. |
|
This issue is stale because it has been open for 60 days with no activity. |
It's pretty hard for a user to remediate some of the results:
We should try to do better. Some thoughts:
Starting with option (1) may be the easiest to start with.
/cc @varunsh-coder
The text was updated successfully, but these errors were encountered: