Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump OSSF score above 9.0 ⬆️ #694

Open
2 tasks
JamieSlome opened this issue Aug 15, 2024 · 10 comments
Open
2 tasks

Bump OSSF score above 9.0 ⬆️ #694

JamieSlome opened this issue Aug 15, 2024 · 10 comments
Assignees
Labels
citi-hackathon Related to the Citi India Hackathon (Oct '24) hacktoberfest

Comments

@JamieSlome
Copy link
Member

@rvema contributed the OSSF Scorecard to the repository in #676. If possible, it would be great to drive the score about 9.0 to ensure we excel at meeting OSSF's security standards👍

Tasks

@JamieSlome
Copy link
Member Author

@rvema - pinned dependencies is one of them. Do you want to take this task on?

@rvema
Copy link
Contributor

rvema commented Aug 15, 2024

@rvema - pinned dependencies is one of them. Do you want to take this task on?

For sure, let me take a look and work on it

@coderhs
Copy link

coderhs commented Oct 3, 2024

@JamieSlome I would like to try working on this issue for hactoberfest.

Should we send one PR per item being addressed. Like I saw here (https://scorecard.dev/viewer/?uri=github.com/finos/git-proxy) there is a vulnerability that can be fixed by upgrading the page body-parser to 1.20.3 should that be a single a PR.

@JamieSlome
Copy link
Member Author

@coderhs - sure, thank you for volunteering 👍

Are we able to do in a single PR?

@JamieSlome JamieSlome assigned coderhs and unassigned rvema Oct 3, 2024
@coderhs
Copy link

coderhs commented Oct 3, 2024

Perhaps we can do per action item as reported. Referring to the list here: https://scorecard.dev/viewer/?uri=github.com/finos/git-proxy

image

I am not sure if we can go above 9, but with each PR we should be getting closer.

@coderhs
Copy link

coderhs commented Oct 4, 2024

@JamieSlome I have to step back from this, i thought it would be a small thing to do but it seems some of the concerns are with express.js itself that I don't think me without more experience in the project should be upgrading them. Kindly unassing this from me so someone else can pick it up.

I could send a PR for the body-parser that i upgraded if needed.

@JamieSlome JamieSlome added the citi-hackathon Related to the Citi India Hackathon (Oct '24) label Oct 22, 2024
@laukik-target
Copy link
Contributor

@JamieSlome Please assign it to me. I will take this up.

@JamieSlome
Copy link
Member Author

@laukik-target - all yours ❤️

@laukik-target
Copy link
Contributor

@JamieSlome Can you please review the above PR?

I would be pushing more PRs to cross-score 9.0. Targeting High Priority items from the OSSF Scorecard first.

@Sabarivasan-Velayutham
Copy link

@JamieSlome Can you please review the above PR?

I have made changes to branch protection by using the classic token which gave a significant increase in OSSF Score.

image

As you can see, I have improved the score for branch protection in OSSF Scorecard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
citi-hackathon Related to the Citi India Hackathon (Oct '24) hacktoberfest
Projects
None yet
Development

No branches or pull requests

5 participants