Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ossf scorecard #1037

Merged
merged 8 commits into from
Jul 8, 2024
Merged

Add ossf scorecard #1037

merged 8 commits into from
Jul 8, 2024

Conversation

juju4
Copy link
Contributor

@juju4 juju4 commented Nov 19, 2022

You will need to create a personal access token as only apply to master/main and registration must be by project owner.
This support supply chain risk assessment and auditing.

See also
https://github.com/marketplace/actions/ossf-scorecard-action
https://github.com/ossf/scorecard#using-scorecards-1
https://securityscorecards.dev/

@achantavy
Copy link
Contributor

Hi, what does this PR try to do? If it involves using a PAT then I don't think we will be able to merge it in.

@juju4
Copy link
Contributor Author

juju4 commented Jan 7, 2023

Please read above links.
This is to give trust to users that there is limited supply chain risk.

PAT is up to maintainer to set as this can only apply to default branch.

Examples with badges from https://github.com/search?q=Scorecards+supply-chain+security&type=commits
https://github.com/PyCQA/pylint
https://github.com/pandora-analysis/pandora

Trust that this kind of news can be avoided
https://www.bleepingcomputer.com/news/security/pytorch-discloses-malicious-dependency-chain-compromise-over-holidays/

@chandanchowdhury
Copy link
Collaborator

The OSSF Scorecard is a nice to have.

This change basically is the changes following the setup steps
https://github.com/marketplace/actions/ossf-scorecard-action

We can get this MR merged and then update the image SHA256 to latest.

@chandanchowdhury
Copy link
Collaborator

Note: This CI job runs once a week against the main branch (not for every MR or branch)

@chandanchowdhury chandanchowdhury merged commit 681bf52 into cartography-cncf:master Jul 8, 2024
5 checks passed
SecPrez pushed a commit to SecPrez/cartography that referenced this pull request Nov 10, 2024
@juju4 @tmsteere
Add ossf scorecard (cartography-cncf#1037)
8556a35
chandanchowdhury pushed a commit to chandanchowdhury/cartography that referenced this pull request Nov 27, 2024
@juju4 @chandanchowdhury
Add ossf scorecard (cartography-cncf#1037)
9a44321 
Signed-off-by: chandanchowdhury <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chandanchowdhury chandanchowdhury chandanchowdhury approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@juju4 @achantavy @chandanchowdhury