Bring CLOMonitor Score to 100%
hernanpl opened this issue ยท 10 comments
This repo is signed up as part of the KubeCon Security Slam. I'm bringing to your attention the checklist from the official CLOMonitor page for K8GB -- it refreshes every hour, so it should be up-to-date.
CLOMonitor report
Summary
Repository: k8gb
URL: https://github.com/k8gb-io/k8gb
Checks sets: COMMUNITY
+ CODE
Score: 84
Checks passed per category
Category | Score |
---|---|
Documentation | 93% |
License | 100% |
Best Practices | 85% |
Security | 75% |
Legal | 0% |
Checks
Documentation [93%]
- Adopters (docs)
- Changelog (docs)
- Code of conduct (docs)
- Contributing (docs)
- Governance (docs)
- Maintainers (docs)
- Readme (docs)
- Roadmap (docs)
- Website (docs)
License [100%]
- Apache-2.0 (docs)
- Approved license (docs)
- License scanning (docs)
Best Practices [85%]
- Analytics (docs)
- Artifact Hub badge (docs)
- Contributor License Agreement (docs)
EXEMPT
- Community meeting (docs)
- Developer Certificate of Origin (docs)
- Github discussions (docs)
EXEMPT
- OpenSSF badge (docs)
- Recent release (docs)
- Slack precense (docs)
Security [75%]
- Binary artifacts (docs)
- Code review (docs)
- Dangerous workflow (docs)
- Dependency update tool (docs)
- Maintained (docs)
- Software bill of materials (SBOM) (docs)
- Security policy (docs)
- Signed releases (docs)
- Token permissions (docs)
Legal [0%]
- Trademark disclaimer (docs)
For more information about the checks sets available and how each of the checks work, please see the CLOMonitor's documentation.
Hi @hernanpl, thanks a lot for creating this issue for us.
As a part of Security Slam, we heavily attacked the Security section of CLO monitor today.
- We implemented first signed release with SBOM https://github.com/k8gb-io/k8gb/releases/tag/v0.10.0
- Fully addressed token permissions and the rest of the stepsecurity recommendations in #990
Concerns:
- Apparently Signed releases check expects the last 5 releases to be signed, but we just implemented associated mechanisms so we have only 1 latest signed release. The pipelines are configured to automatically sign all future releases but we will not be generating 4 more releases before the Security Slam deadline. Is there a chance to give us a full score here given the context?
Could you please help with addressing concerns? I believe we made good progress today and it deserves some more monitor scores :)
We #966 first signed release with SBOM
This is perfect for the security slam, where the metric is just CLOMonitor's score > 1
๐ For a OpenSSF badge, the score will be tallied more comprehensively, but IMHO that's out of scope at the moment
It seems that something is wrong with the check as all recommendations are already in the main branch
So there are two things happening here.
The first one is that actions: write
is currently an instant failure anywhere in a workflow. So we'll either need to remove that, or raise this as a suggested change in ossf/scorecard#2338
Secondly... I noticed that a few files don't have any permissions applied. These are also instant failures for the check.
- .github/workflows/terrascan.yaml
- .github/workflows/terratest-more-clusters.yaml
- .github/workflows/terratest.yaml
- .github/workflows/upgrade-testing.yaml
- .github/workflows/kube-linter.yaml
- .github/workflows/helm_publish.yaml
- .github/workflows/gh-pages.yaml
- .github/workflows/fossa.yml
edit: I also just noticed that release.yml has a top-level content: write
, so we'll need to clean that as well.
@eddie-knight thanks a lot for the catch, I had an illusion that the secure-workflows tooling automatically fixed all issues for me :)
Created additional #1002
Just to not here for future reference.
The way to locally get detailed token permissions feedback
scorecard --repo k8gb-io/k8gb --checks Token-Permissions --show-details
Good progress with overall local result:
clomonitor-linter --path ~/upstream/k8gb --url https://github.com/k8gb-io/k8gb
CLOMonitor linter results
Repository information
โญโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Local path โ /Users/xnull/upstream/k8gb โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Remote url โ https://github.com/k8gb-io/k8gb โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Check sets โ [Code, Community] โ
โฐโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Score summary
โญโโโโโโโโโโโโโโโโโฌโโโโโโโโฎ
โ Section โ Score โ
โโโโโโโโโโโโโโโโโโชโโโโโโโโก
โ Global โ 98 โ
โโโโโโโโโโโโโโโโโโผโโโโโโโโค
โ Documentation โ 100 โ
โโโโโโโโโโโโโโโโโโผโโโโโโโโค
โ License โ 100 โ
โโโโโโโโโโโโโโโโโโผโโโโโโโโค
โ Best practices โ 100 โ
โโโโโโโโโโโโโโโโโโผโโโโโโโโค
โ Security โ 90 โ
โโโโโโโโโโโโโโโโโโผโโโโโโโโค
โ Legal โ 100 โ
โฐโโโโโโโโโโโโโโโโโดโโโโโโโโฏ
Checks summary
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโฎ
โ Check โ Passed โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโชโโโโโโโโโโโโโก
โ Documentation / Adopters โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Documentation / Changelog โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Documentation / Code of conduct โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Documentation / Contributing โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Documentation / Governance โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Documentation / Maintainers โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Documentation / Readme โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Documentation / Roadmap โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Documentation / Website โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ License โ Apache-2.0 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ License / Approved โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ License / Scanning โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Best practices / Analytics โ GA4 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Best practices / Artifact Hub badge โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Best practices / CLA โ Exempt โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Best practices / Community meeting โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Best practices / DCO โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Best practices / GitHub discussions โ Exempt โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Best practices / OpenSSF (CII) badge โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Best practices / Recent release โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Best practices / Slack presence โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Security / Binary artifacts โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Security / Code review โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Security / Dangerous workflow โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Security / Dependency update tool โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Security / Maintained โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Security / SBOM โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Security / Security policy โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Security / Signed release โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Security / Token permissions โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ Legal / Trademark disclaimer โ โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโฏ
โ Succeeded with a global score of 98
@eddie-knight #1002 was merged, I also reported ossf/scorecard#2338 (comment)
Is there anything more we can do? Really keen to score 100 :)
@ytsarev I pinged the OpenSSF Scorecard channel discussing the release, need to get that cut before it can be propogated out to CLOMonitor
Thanks a lot @eddie-knight !
Just to be sure that we are good with the evaluation, I've built the scorecard from the main
branch and it looks good!
./scorecard --repo k8gb-io/k8gb --checks Token-Permissions --show-details
Starting [Token-Permissions]
Finished [Token-Permissions]
RESULTS
-------
Aggregate score: 10.0 / 10
Thank you so much for the associated PR ossf/scorecard#2367