ossf/scorecard

Why stepsecurity is refereneced so much?

anantshri opened this issue · 3 comments

Hi Team,

I have run your tool and multiple results appear, I was under the impression this is an open project with ossf spear heading. however lots of issues raised effectively ask me to give permission to step security to scan and give me results and fixes.

earier step security use to show me the delta fix and i could manually copy paste. new interface is abstracting that away and asking for org permissions.

in light of this do you really feel we should keep having step security as the default option in this project.

I am opening this issue to understand the logics for this tool / company being supported by this project.
Thanks for answering in advance.

Hi @anantshri, I am a cofounder of StepSecurity, and want to understand why you think the new experience is asking for org permissions?

When a scorecard issue (for token permissions or pinning of actions) points to app.stepsecurity.io, it goes to this UI, and here you can click the link (highlighted) to go to the old experience (where you can copy the fixed workflow).

Screen Shot 2024-05-04 at 2 07 41 PM

The new experience fixes more issues (e.g. adding CodeQL, dependabot file etc), using a pull request, and so reduces the steps developers need to take. Even for this experience, no org permission is asked for. The UI asks to login to get public data only (screenshot below). This is to ensure developers can only create PR in repos they have already contributed to.

Screen Shot 2024-05-04 at 2 12 10 PM

So, would love to understand why you think it needs org permissions?

Also, JFYI, over 1,200 public repos have used and increased their scorecard scores using the new PR experience, which would otherwise have taken them a lot more effort.

I can see that over 1200 repo's are using your product(your website shouts about that on most pages), no disrespect to the work you are doing. however you are a startup owner (i am a startup owner too) plugging a startup as a solution that actually sells the solution for specific conditions feels like marketting to me. Its okey to do it however its okey to do it in your own project not a community project. This simple plug will result in sales for you thats a good thing for you but is it a good thing for community what about your competitors if any. why is a open project supporting a specific solution. why not provide details for people to fix things themselves.

I have questions seeking answers to them.

As per my point on org access. I might have mis worded it, i was specifically pointing to the authorization required.

"The new experience fixes more issues (e.g. adding CodeQL, dependabot file etc), using a pull request, and so reduces the steps developers need to take." your product feedback is something i am not interested in giving, you have customers to ask that. however here is some simple statements.

  1. I reached your website coz a open project suggest i will find solution. You say there is an old interface with no details of what is different between old or new. people will go for new. new interface creates pull requsts for more then what i came here for.
  2. You claim it helps developers to reduce the burden, i would have to ask if thats the case then why are there multiple issues being raised instead there should just be one issue. we sponser step-security to take care of these issues. go here and get all fixed in one shot.

As you can see there is an underlying frustration in the response coz i feel this is bad view on community. there is an open project which is specifically redirecting people to a 3rd party website and that website keeps changing interfaces.

  1. First and formost the project should not be redirecting to step-security at all
  2. If it does the page where people land should have a consisted layout not being changed over time.
  3. If you truly aim to help community your experiment and access requests should be reserved for your customers not for community angle.

Will avoid further arguments or disagrements and would wait to hear from the project owner or major contributors about the reason for picking step-security. I have not seen any documentation on why step-security is in picture so this issue hopefully will be answered and will act as reference going forward.

Thanks for clarification and I believe we are on the same page regarding permissions - that the tool does not need org permissions, only access to public data.

why are there multiple issues being raised

This is how typical scanners/ security tools work, to enable tracking each issue separately. Scorecard does publish remediation instructions with each issue, such that developers can fix it manually if they want to, without using automated remediation. Moreover, the StepSecurity tool (which is open source), can only remediate a subset of the issues.

W.r.t the change in the UI experience, that was done based on feedback from the community, and was updated only after discussion and consensus in a Scorecard community call about a year ago. We have been working with Scorecard since early 2022 to help maintainers improve Scorecard scores through automation.