Security Best Practices
Closed this issue · 1 comments
Deleted user commented
Hi,
As a member of the Security Team from the Eclipse Foundation, we used a tools Scorecard and StepSecurity to analyze this repo in order to push a pull request that cover some or all the following best practices below:
- Apply least privilege principle to GITHUB_TOKEN
- Add or fine tune the use of Dependabot
- Pin actions to a full length commit SHA
As a result, You will see a PR coming from StepSecurity to help to implement those fixes above which will cover a list of points below identified detected:
- Apply least privilege principle to GITHUB_TOKEN for files .github/workflows/stale.yml
- Add or fine tune the use of Dependabot
- Pin Actions to a full length commit SHA for files .github/workflows/first-interaction.yml, .github/workflows/labeler.yml, .github/workflows/stale.yml, and buildenv/docker/x86_64/ubuntu20/Dockerfile
Please don’t hesitate and reach out if there is something unclear above.
Kind Regards,
Francisco Perez
pshipton commented
This repo is a mirror of https://github.com/eclipse/omr/, we only pick up changes from there.