Improve Node.js Scorecard
RafaelGSS opened this issue · 8 comments
Reference: https://github.com/nodejs/security-wg/blob/main/tools/ossf_scorecard/report.md
We need to:
- Enable code-scanning in the Node.js repository by setting a scorecard.yml (nodejs/node#47254)
- Fix the warnings (feel free to update this list)
- Pin actions by commit-hash (nodejs/node#46820)
...
- Pin actions by commit-hash (nodejs/node#46820)
Note: we can use the StepSecurity for an automated PR.
Actually, there's already a PR for pinned actions nodejs/node#46820
Hey @RafaelGSS, I would love to deep into this. Just a couple of questions:
- The workflow should be set only in the main branch at push or we want to include also other stable branches ?
- There's a specific scheduled time to run the workflow?
The workflow should be set only in the main branch at push or we want to include also other stable branches ?
main
branch
There's a specific scheduled time to run the workflow?
You can use the same as the one we use for this repo.
I created this PR to increase the scorecard score by adding the missing dependencies: nodejs/node#47346
I'm sure that by merging this we can get very close to score 10 on the topic "Pinned-Dependencies".
UPDATE from #961
Repository | Commit | Score | Date | Difference | Report Link | StepSecurity Link |
---|---|---|---|---|---|---|
nodejs/node | 2ac5e98 | 7.3 | 2023-04-26T08:57:49Z | -0.3 | Full Report | Fix it |