Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OSSF scan improvements #4722

Open
patrick-stephens opened this issue Jan 31, 2022 · 1 comment
Open

OSSF scan improvements #4722

patrick-stephens opened this issue Jan 31, 2022 · 1 comment
Assignees
@patrick-stephens
Labels
ci enhancement security

Comments

@patrick-stephens
Copy link
Contributor

Is your feature request related to a problem? Please describe.

The OSSF tooling to check supply chain security is identifying a few areas to improve, namely:

$ docker run -e GITHUB_AUTH_TOKEN=XXX --rm -it gcr.io/openssf/scorecard --repo https://github.com/fluent/fluent-bit
Starting [Dangerous-Workflow]
Starting [CII-Best-Practices]
Starting [Dependency-Update-Tool]
Starting [Maintained]
Starting [Code-Review]
Starting [Pinned-Dependencies]
Starting [Vulnerabilities]
Starting [Fuzzing]
Starting [SAST]
Starting [Contributors]
Starting [Token-Permissions]
Starting [Binary-Artifacts]
Starting [Signed-Releases]
Starting [Branch-Protection]
Starting [Security-Policy]
Starting [CI-Tests]
Starting [License]
Starting [Packaging]
Finished [Maintained]
Finished [Dangerous-Workflow]
Finished [CII-Best-Practices]
Finished [Dependency-Update-Tool]
Finished [SAST]
Finished [Contributors]
Finished [Token-Permissions]
Finished [Binary-Artifacts]
Finished [Code-Review]
Finished [Pinned-Dependencies]
Finished [Vulnerabilities]
Finished [Fuzzing]
Finished [Signed-Releases]
Finished [Security-Policy]
Finished [Branch-Protection]
Finished [Packaging]
Finished [CI-Tests]
Finished [License]

RESULTS
-------
Aggregate score: 6.9 / 10

Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10  | Binary-Artifacts       | binaries present in source     | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#binary-artifacts       |
|         |                        | code                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 8 / 10  | Branch-Protection      | branch protection is not       | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all |                                                                                                                       |
|         |                        | release branches               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests               | 4 out of 4 merged PRs          | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | CII-Best-Practices     | no badge detected              | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#cii-best-practices     |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Code-Review            | no reviews detected            | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#code-review            |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | 30 different companies found   | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#contributors           |
|         |                        | -- score normalized to 10      |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected           | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Fuzzing                | project is fuzzed in OSS-Fuzz  | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#fuzzing                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#license                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 30 commit(s) out of 30 and 8   | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#maintained             |
|         |                        | issue activity out of 30 found |                                                                                                                       |
|         |                        | in the last 90 days -- score   |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Packaging              | publishing workflow detected   | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#packaging              |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   |                                                                                                                       |
|         |                        | to 0                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | SAST                   | SAST tool is not run on all    | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#sast                   |
|         |                        | commits -- score normalized to |                                                                                                                       |
|         |                        | 0                              |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy        | security policy file detected  | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#security-policy        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Signed-Releases        | no releases found              | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#signed-releases        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Token-Permissions      | non read-only tokens detected  | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#token-permissions      |
|         |                        | in GitHub workflows            |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | no vulnerabilities detected    | https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/docs/checks.md#vulnerabilities        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

Describe the solution you'd like
Improve our scoring in these areas plus integrate with CI.
@patrick-stephens patrick-stephens self-assigned this Jan 31, 2022
@patrick-stephens patrick-stephens mentioned this issue Jan 31, 2022
Merged
6 tasks
@github-actions
Copy link
Contributor

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. Maintainers can add the exempt-stale label.

@github-actions github-actions bot added the Stale label Jul 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@patrick-stephens patrick-stephens

Labels
ci enhancement security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@patrick-stephens and others