Add the Scorecard Action to monitor procfs' security posture
pnacht opened this issue · 2 comments
Hey, it's Pedro (see prometheus/common#490 and prometheus/prometheus#12841). I'm back with another security suggestion.
I found the issues fixed by those PRs by scanning procfs with Scorecard. It looks at a repository's settings and configurations to identify potential points of improvement in a project's security posture.
As it happens, the first issues I worked on involved workflows, which procfs pulls from /common and/or /prometheus, so I sent the PRs over there.
Scorecard is also available as a GitHub Action. It then monitors a project's security posture and populates the Security Panel with any tips it may find relevant for the project. In doing so, it can also flag whenever a code or setting change accidentally weakens the project's security.
procfs' current score is 6.8/10, which places it at the top 10% of projects important to the open-source ecosystem.
I'll write a PR implementing the Action and send it along with this issue.
If we're going to include this action, we should add it to https://github.com/prometheus/prometheus/blob/main/scripts/sync_repo_files.sh. This way it's automatically managed in all Prometheus project repos.
Sorry for the delay here, but sure thing, I'd be happy to send this to prometheus/prometheus and add it to the sync script.
I do have one question though. After one of my previous PRs, I realized there's automation keeping things in sync with prometheus/prometheus but there's also prometheus/common, which I'd understood was the container for all "common" things in prometheus projects.
Has /common been deprecated, with /prometheus now being the source-of-truth for common files?