Assessment against best practices (OpenSSF Scorecards ...)
fraxken opened this issue · 6 comments
As discussed in the last meeting #857. I'm creating this issue to, discuss and follow the evolution of this new Security-WG initiative for 2023.
The main idea is to assess how the Node.js project is positioned in regards to some security best practices. The final goal would be to collect metrics, allowing us to eventually improve security.
As a first actionable step we discussed exploring the OpenSSF Scorecards initiative. For context an issue about Scorecard has been opened here: #851 (There is some nice information on it). A presentation will be held in the next meeting (January 19th).
Next steps:
OSSF Scorecards
- Enable scorecard.yml
- undici nodejs/undici#1942
- and nodejs nodejs/node#47254
- Filter non-relevant repositories in the scorecard_report
- Improve the score of all reports monitored
CII Best Practices
- Node.js Basic Level: #954
- Node.js Silver Level: #955
- Node.js Gold Level: #956
- Agree to implement in other projects (Undici, Ada..) and provide support.
Other
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.
Opened 5 PRs to increase the OpenSSF Scorecard
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.
This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.