Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce OpenSSF Scorecard GitHub action #574

Merged
merged 8 commits into from
Apr 16, 2023
Merged

Introduce OpenSSF Scorecard GitHub action #574

merged 8 commits into from
Apr 16, 2023

Conversation

Stephan202
Copy link
Member

@Stephan202 Stephan202 commented Apr 8, 2023
edited
Loading

Suggested commit message:

Introduce OpenSSF Scorecard GitHub action (#574)

And resolve some of the issues it identified.

See https://securityscorecards.dev

For the output, see this view. Only warnings about non-pinned dependencies remain. Those can be resolved using Renovate, IIUC, so I propose we address that separately.

@Stephan202 Stephan202 force-pushed the sschroevers/introduce-openssf-scorecard branch from 2eddcef to d95cd72 Compare April 8, 2023 17:37
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 8, 2023
View reviewed changes
.github/workflows/openssf-scorecard.yml Fixed Show fixed Hide fixed
.github/workflows/openssf-scorecard.yml
with:
persist-credentials: false
- name: Run OpenSSF Scorecard analysis
uses: ossf/[email protected]

Check warning

Code scanning / Scorecard

Pinned-Dependencies

score is 7: third-party GitHubAction not pinned by hash Click Remediation section below to solve this issue
.github/workflows/openssf-scorecard.yml Fixed Show fixed Hide fixed
.github/workflows/openssf-scorecard.yml Fixed Show fixed Hide fixed
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 8, 2023
View reviewed changes
.github/workflows/openssf-scorecard.yml
runs-on: ubuntu-22.04
steps:
- name: Check out code
uses: actions/[email protected]

Check warning

Code scanning / Scorecard

Pinned-Dependencies

score is 7: GitHub-owned GitHubAction not pinned by hash Click Remediation section below to solve this issue
.github/workflows/pitest-update-pr.yml
jobs:
update-pr:
if: ${{ github.event.workflow_run.conclusion == 'success' }}
permissions:
actions: read
checks: write

Check failure

Code scanning / Scorecard

Token-Permissions

score is 9: jobLevel 'checks' permission set to 'write' Remediation tip: Verify which permissions are needed and consider whether you can reduce them. Click Remediation section below for further remediation help
@github-actions
Copy link

github-actions bot commented Apr 8, 2023

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@PicnicSupermarket PicnicSupermarket deleted a comment from github-actions bot Apr 8, 2023
@PicnicSupermarket PicnicSupermarket deleted a comment from github-actions bot Apr 8, 2023
@PicnicSupermarket PicnicSupermarket deleted a comment from github-actions bot Apr 8, 2023
@PicnicSupermarket PicnicSupermarket deleted a comment from github-actions bot Apr 8, 2023
@PicnicSupermarket PicnicSupermarket deleted a comment from github-actions bot Apr 8, 2023
@PicnicSupermarket PicnicSupermarket deleted a comment from github-actions bot Apr 8, 2023
@Stephan202 Stephan202 added this to the 0.10.0 milestone Apr 8, 2023
@Stephan202 Stephan202 requested a review from rickie April 8, 2023 21:09
@sonarqubecloud
Copy link

sonarqubecloud bot commented Apr 9, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@github-actions
Copy link

github-actions bot commented Apr 9, 2023

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@rickie rickie added the chore A task not related to code (build, formatting, process, ...) label Apr 15, 2023
@rickie rickie force-pushed the sschroevers/introduce-openssf-scorecard branch from 2dc6ff8 to 6bfb77a Compare April 15, 2023 17:52
@github-actions
Copy link

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

rickie
rickie approved these changes Apr 15, 2023
View reviewed changes
Copy link
Member

@rickie rickie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks so interesting! Didn't dive too deep into all the checks this has, but it sounds promising.

Nice setup, could spot only 1 tiny thing, so added a commit.

.github/workflows/openssf-scorecard.yml
uses: ossf/[email protected]
with:
results_file: results.sarif
results_format: sarif
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool stuff! This is what was also used by the EP PR for collecting diagnotics.

.github/workflows/openssf-scorecard.yml Outdated
uses: github/codeql-action/[email protected]
with:
sarif_file: results.sarif

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One extra line here 👀.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice eye for detail! 😄

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consistency for the win 😉.

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 15, 2023
View reviewed changes
.github/workflows/openssf-scorecard.yml
results_format: sarif
publish_results: ${{ github.ref == 'refs/heads/master' }}
- name: Update GitHub's code scanning dashboard
uses: github/codeql-action/[email protected]

Check warning

Code scanning / Scorecard

Pinned-Dependencies

score is 7: GitHub-owned GitHubAction not pinned by hash Click Remediation section below to solve this issue
@github-actions
Copy link

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@rickie
Copy link
Member

rickie commented Apr 15, 2023

Oh btw, Monday we'll do some big upgrades to Renovate. Let's see if it picks up on the GHA dependencies again. Otherwise, we'll look into that. Pending that we can setup the pinning that it now flags 😄. So to be continued.

@rickie rickie merged commit 929f1dd into master Apr 16, 2023
@rickie rickie deleted the sschroevers/introduce-openssf-scorecard branch April 16, 2023 07:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rickie rickie rickie approved these changes

@oxkitsune oxkitsune oxkitsune approved these changes

Assignees
No one assigned
Labels
chore A task not related to code (build, formatting, process, ...)
Milestone
0.10.0
Development

Successfully merging this pull request may close these issues.
3 participants
@Stephan202 @rickie @oxkitsune