Improve security practices
sripwoud opened this issue · 2 comments
sripwoud commented
See https://discord.com/channels/943612659163602974/1006997078259552346/1237782683229356173 (PSE internal discord).
Here are the scorecard results of the semaphore repo: 4.3/10 (scorecard.txt)
I don't think the goal is to get a 10/10.
But there are probably some quick wins we can implement like:
- Improve branch protection rules
- Add a dependency update/scan tool bot
I like using socket-security on some of my repos - Pin some dependencies by hash
- Add a security policy file
- Restrict GH workflow tokens permissions
- Address existing vulnerabilities
See links in report for more explanation and mitigations