-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve scorecard score for scorecard repo #1618
Comments
Here is the latest release https://deps.dev/go/github.com%2Fossf%2Fscorecard%2Fv4 |
Sounds fun! |
Local run against #1629: ./scorecard --repo=https://github.com/ossf/scorecard --show-details
Starting [Maintained]
Starting [Dependency-Update-Tool]
Starting [Fuzzing]
Starting [Contributors]
Starting [CI-Tests]
Starting [Signed-Releases]
Starting [SAST]
Starting [License]
Starting [Token-Permissions]
Starting [Vulnerabilities]
Starting [CII-Best-Practices]
Starting [Code-Review]
Starting [Pinned-Dependencies]
Starting [Binary-Artifacts]
Starting [Branch-Protection]
Starting [Security-Policy]
Starting [Dangerous-Workflow]
Starting [Packaging]
Finished [Maintained]
Finished [Fuzzing]
Finished [Contributors]
Finished [CI-Tests]
Finished [Signed-Releases]
Finished [SAST]
Finished [Dependency-Update-Tool]
Finished [Token-Permissions]
Finished [Vulnerabilities]
Finished [CII-Best-Practices]
Finished [Code-Review]
Finished [Pinned-Dependencies]
Finished [License]
Finished [Branch-Protection]
Finished [Security-Policy]
Finished [Dangerous-Workflow]
Finished [Packaging]
Finished [Binary-Artifacts] RESULTSAggregate score: 8.0 / 10 Check scores:
|
re: dangerous workflow. There's a false positive tracked in #1311 that @asraa is working on |
why do we need |
goreleaser writes to releases (example) which needs On another note, I think that regardless of where the artifact is published, it would be good to standardize creating a tag for the release version. So if one is trying to build from source, one can use the tag to get the right commit to build the right version. Just thinking aloud... |
Thanks @varunsh-coder I realized after posting the question that to push a release, we need I think there are APIs to check which tag corresponds to which commit/branch. Do you think this is insufficient? |
What I was thinking about might be out of scope for scorecards. Sometimes maintainers publish a release to artifact repository, e.g. https://registry.npmjs.org, but forget to create a tag. I noticed https://www.npmjs.com/package/plaid has version 9.9.0 but no tag for that in the repo: https://github.com/plaid/plaid-node/tags. I don't think scorecards can detect this though...may be some related project? |
do you think SLSA provenance is something that could address this problem? |
I think so. In this case, even if the registry owner could verify if the tag exists in the associated repo, and reject the publish event if it doesn't, it will solve the problem. May be I can submit a request to the https://registry.npmjs.org/ owners... |
For the tokens, I submitted #1787. I did notice though that the logic seems to check the yml files, but does not check the default permissions granted to Github actions, so it raises issues when the top level action does not have This is my first PR to the project so I'll go read the guidelines and be sure my submission is correct - I just happened to be fixing the same warnings in another repo. |
Closing as we're up to a 9.7 currently. |
Describe the bug
A clear and concise description of what the bug is.
Reproduction steps
https://deps.dev/go/github.com%2Fossf%2Fscorecard
Are these false positives? If not, please fix. Also, for false positives, is there any easy way to add exceptions/ignore-lists [this is important as these workflows issues probably happen on other criticial repos as well]
Expected behavior
10/10 score for scorecard repo.
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: