Closed laurentsimon closed 2 years ago
/cc @isarkis @sethvargo
@laurentsimon Thanks for bringing this up. I just ran docker run -e GITHUB_AUTH_TOKEN=$OPENSSF_SCORECARD_GITHUB_TOKEN gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/actions-runner-controller/actions-runner-controller
to see what it finds. Currently, it reports Aggregate score: 5.8 / 10
. My goal is to make it close enough to 10. You can expect me to submit a few PRs to address each finding!
We've managed to score 8.2 out of 10 now.
I think it's the best we can do today. Please raise another issue if you have more ideas. Thanks!
I ran the OpenSSF's scorecard on this project and found that branch protection and code reviews are not enforced.
I chatted with @josepalafox and he suggested I create this issue to start a discussion.
Given the popularity of this project and its sensitivity (access to build pipeline, etc), it would be beneficial to install scorecard as suggested in the workflow hardening guideline.
/cc @nebuk89