Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Security Report Handling #212

Merged
merged 7 commits into from
Jul 3, 2024
Merged

Conversation

tylertitsworth
Copy link
Contributor

Description

Add an action to report security findings per release as part of the Security Development Lifecycle practices at Intel

Related Issue

MLOPS-1891

Changes Made

  • The code follows the project's coding standards.
  • No Intel Internal IP is present within the changes.
  • The documentation has been updated to reflect any changes in functionality.

Validation

TBD

  • I have tested any changes in container groups locally with test_runner.py with all existing tests passing, and I have added new tests where applicable.

@tylertitsworth tylertitsworth added the WIP Work in Progress label Jul 3, 2024
@tylertitsworth tylertitsworth self-assigned this Jul 3, 2024
Copy link

github-actions bot commented Jul 3, 2024

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/upload-artifact 65462800fd760344b1a7b4382951275a0abb4808 🟢 6.7
Details
CheckScoreReason
Code-Review🟢 9Found 10/11 approved changesets -- score normalized to 9
Maintained🟢 1014 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
SAST🟢 9SAST tool detected but not run on all commits
Security-Policy🟢 9security policy file detected
Vulnerabilities🟢 64 existing vulnerabilities detected
actions/rsdmike/github-security-report-action a149b24539044c92786ec39af8ba38c93496495d 🟢 6.5
Details
CheckScoreReason
Binary-Artifacts🟢 9binaries present in source code
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests🟢 1029 out of 29 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 5found 1 unreviewed changesets out of 2 -- score normalized to 5
Contributors🟢 104 different organizations found -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 79 commit(s) out of 30 and 0 issue activity out of 5 found in the last 90 days -- score normalized to 7
Packaging⚠️ -1no published package detected
Pinned-Dependencies🟢 9dependency not pinned by hash detected -- score normalized to 9
SAST🟢 10SAST tool is run on all commits
Security-Policy⚠️ 0security policy file not detected
Signed-Releases⚠️ -1no releases found
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Vulnerabilities🟢 73 existing vulnerabilities detected
actions/step-security/harden-runner 17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 🟢 8.7
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests🟢 1014 out of 14 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1019 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities🟢 91 existing vulnerabilities detected

Scanned Manifest Files

.github/workflows/security-report.yaml

@tylertitsworth tylertitsworth force-pushed the tylertitsworth/security-report branch from 7a093cc to db44d73 Compare July 3, 2024 16:45
Signed-off-by: tylertitsworth <[email protected]>
@tylertitsworth tylertitsworth force-pushed the tylertitsworth/security-report branch from db44d73 to c2d9a82 Compare July 3, 2024 16:47
@tylertitsworth tylertitsworth added the github_actions Pull requests that update GitHub Actions code label Jul 3, 2024
tylertitsworth added 3 commits July 3, 2024 11:34
Signed-off-by: tylertitsworth <[email protected]>
Signed-off-by: tylertitsworth <[email protected]>
@tylertitsworth tylertitsworth added Review and removed WIP Work in Progress labels Jul 3, 2024
@tylertitsworth tylertitsworth marked this pull request as ready for review July 3, 2024 19:11
@tylertitsworth tylertitsworth enabled auto-merge (squash) July 3, 2024 19:11
Copy link
Contributor

@sramakintel sramakintel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approved

@tylertitsworth tylertitsworth disabled auto-merge July 3, 2024 23:10
@tylertitsworth tylertitsworth merged commit b9b3730 into main Jul 3, 2024
22 checks passed
@tylertitsworth tylertitsworth deleted the tylertitsworth/security-report branch July 3, 2024 23:10
sramakintel pushed a commit that referenced this pull request Jul 8, 2024
Signed-off-by: tylertitsworth <[email protected]>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Signed-off-by: Srikanth Ramakrishna <[email protected]>
sramakintel pushed a commit that referenced this pull request Jul 8, 2024
Signed-off-by: tylertitsworth <[email protected]>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Signed-off-by: Srikanth Ramakrishna <[email protected]>
dmsuehir pushed a commit that referenced this pull request Jul 12, 2024
Signed-off-by: tylertitsworth <[email protected]>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Signed-off-by: Dina Suehiro Jones <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
github_actions Pull requests that update GitHub Actions code Review
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants