Improve Node.js Scorecard

Question

RafaelGSS opened this issue 2 years ago · 8 comments

We need to:

Enable code-scanning in the Node.js repository by setting a scorecard.yml (nodejs/node#47254)
Fix the warnings (feel free to update this list)
- Pin actions by commit-hash (nodejs/node#46820)
  ...

Note: we can use the StepSecurity for an automated PR.

Answer 1 · 2023-03-23T11:22:18.000Z

Actually, there's already a PR for pinned actions nodejs/node#46820

Answer 2 · 2023-03-23T18:18:14.000Z

Hey @RafaelGSS, I would love to deep into this. Just a couple of questions:

The workflow should be set only in the main branch at push or we want to include also other stable branches ?
There's a specific scheduled time to run the workflow?

Answer 3 · 2023-03-24T14:24:52.000Z

The workflow should be set only in the main branch at push or we want to include also other stable branches ?

main branch

There's a specific scheduled time to run the workflow?

You can use the same as the one we use for this repo.

Answer 4 · 2023-04-02T11:13:39.000Z

I created this PR to increase the scorecard score by adding the missing dependencies: nodejs/node#47346

I'm sure that by merging this we can get very close to score 10 on the topic "Pinned-Dependencies".

Answer 5 · 2023-04-13T14:21:06.000Z

UPDATE from #945

Node.js score: 7.6 - 2023-04-08

Answer 6 · 2023-04-27T14:31:24.000Z

UPDATE from #961

Repository	Commit	Score	Date	Difference	Report Link	StepSecurity Link
nodejs/node	2ac5e98	7.3	2023-04-26T08:57:49Z	-0.3	Full Report	Fix it