-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
setup OSSF Scorecard workflow #1432
Conversation
Hey 👋 -- thanks for the contribution. Could you provide details about the OSSF scorecard and why we want to maintain it? Please assume I have no knowledge about what it is 😬 |
Ossf is open source security foundation. The workflow is here to create a report that will help maintainers reduce security risk on their project with advices. See the badge I added in the description. |
I was taking a look at the report provided by the badge, I'm not sure I understood why we got 0 with Token-Permissions. I don't guarantee that all permissions were configured following the least-privilege principle, but I'm pretty sure most of them are needed. Do we need to configure exceptions somewhere? |
This PR is also making changes to Dockerfile, which doesn't seem related to the OSSF scorecard, could we split it into a separate PR? It could make the merge process faster, at least for the Dockerfile changes |
It is related as ossf ask for dependencies to use pinned version for docker as for github-actions. I’m fine seing this in a following pr |
Yeah, I imagine that would be the reason :P I just meant that the changes for the Dockerfile we could merge without problems already, so opening a separate PR would unblock this For the OSSF scorecard, I'm still struggling to understand why we got a 0 score for github actions that need those permissions to run. I couldn't find ways to add exceptions for those checks 🤔 |
8f690be
to
4de8a80
Compare
@mmorel-35 Are there any quick wins that we could fix before putting this to the README? |
Maybe change permissions on the workflows? |
Signed-off-by: Matthieu MOREL <[email protected]>
@kakkoyun , When I updated them on my fork things got better : mmorel-35#58 |
Signed-off-by: Matthieu MOREL <[email protected]> Signed-off-by: Eugene <[email protected]>
Also pin github-actions versions
Signed-off-by: Matthieu MOREL [email protected]