-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change in Dangerous-Workflow and Token-Permissions scores for repos with no workflows #3205
Comments
Just out of curiosity I wonder if it was caught by the "golden testing" test suite? If so it's really cool. |
I feel that an Inconclusive Result makes more sense for GitHub repos, and also that Structured Results may make this clearer: would we have a separate finding for "no GitHub actions being found" ? I don't think that's a relevant finding, for example, for a repo that's very small and has no CI set up all, because there's nothing security-actionable about it. |
It was done via some manual diffing (
I'm imagining someone running a check then having a policy/attestor trying to confirm: "does the repo have dangerous workflows". For a repo with no workflows I would expect that policy to pass. I'm not sure sure inconclusive would allow us to say that. From the docs: "The highest score is awarded when all workflows avoid the dangerous code patterns."
agreed. But possibly something more generic like |
The scoring logic is in |
An interesting perspective is that having As an example, a project without any GitHub workflows would receive a higher punishment for having Binary Artifacts (just an high risk check as example) than a project that has workflows. It's not clear to me if that makes sense of not. |
Do you mean help you to work on this issue? If so, I don't actually think this needs to be worked on. |
+1 good point. |
We say the score is "0..10", so -1" doesn't make sense. I'm fine with "-1" as a sentinel, indicating an issue, but if you're actually averaging the -1 in that's a problem. |
Some folks aren't using GitHub Actions... how do we want to "score" those CI systems? For example, if I'm using always-hacked-free-CI-provider to build my releases, can I end up with a better score than using GitHub actions with some poor implementation choices? (For example https://github.com/knative/serving uses both actions and Prow from Kubernetes) We currently support detecting only one pipeline, but it seems like we might want incorporate the GitHub actions risk into the larger CI scoring value as reductions to the CI score, rather than a separate weight. |
hi, was there an agreement to this discussion? i'm looking into #2158 if |
Yes,
So I think it boils down to if we have enough data to make a decision. There are no repo files, true, but I think that gives us enough data to say there are no problems with the workflows/tokens since there can't be problems with what doesn't exist.
Scorecard as a whole focuses on the native CI system, so this is a much bigger question.
Nothing unanimous yet. |
Closing due to lack of consensus combined with the small impact of the decision. We can always revisit if needed. |
Describe the bug
GitHub repos without any workflows receive an inconclusive score for
Dangerous-Workflow
andToken-Permissions
.Reproduction steps
Steps to reproduce the behavior:
go run main.go --repo github.com/9fans/plan9port --checks Token-Permissions
Expected behavior
I think there's some debate if this should be inconclusive or a 10.
Additional context
This was introduced in #2821, and it makes sense in the context of GitLab repos. But I don't think the change was intentional for GitHub repos.
The text was updated successfully, but these errors were encountered: