search

coconut-svsm / svsm

COCONUT-SVSM
MIT License
123 stars 43 forks source link

Enable repo security options #283

Open deeglaze opened 9 months ago

deeglaze commented 9 months ago

The Open Source Scorecard run on this repo gives the following report

Note branch protection and unreviewed changes as the main problems.

RESULTS
-------
Aggregate score: 6.9 / 10

Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo  | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#binary-artifacts       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Branch-Protection      | branch protection not enabled  | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#branch-protection      |
|         |                        | on development/release         |                                                                                                                       |
|         |                        | branches                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests               | 13 out of 13 merged PRs        | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | CII-Best-Practices     | no effort to earn an OpenSSF   | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#cii-best-practices     |
|         |                        | best practices badge detected  |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10  | Code-Review            | found 1 unreviewed changesets  | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#code-review            |
|         |                        | out of 14 -- score normalized  |                                                                                                                       |
|         |                        | to 9                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | project has 11 contributing    | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#contributors           |
|         |                        | companies or organizations     |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected           | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Fuzzing                | project is fuzzed              | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#fuzzing                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#license                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 30 commit(s) and 1 issue       | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#maintained             |
|         |                        | activity found in the last 90  |                                                                                                                       |
|         |                        | days -- score normalized to 10 |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Packaging              | packaging workflow not         | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#packaging              |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   |                                                                                                                       |
|         |                        | to 0                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | SAST                   | SAST tool is not run on all    | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#sast                   |
|         |                        | commits -- score normalized to |                                                                                                                       |
|         |                        | 0                              |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10  | Security-Policy        | security policy file detected  | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#security-policy        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Signed-Releases        | no releases found              | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#signed-releases        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Token-Permissions      | detected GitHub workflow       | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#token-permissions      |
|         |                        | tokens with excessive          |                                                                                                                       |
|         |                        | permissions                    |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | 0 existing vulnerabilities     | https://github.com/ossf/scorecard/blob/e9af90c97c2eab3b92d60c1cdfbbad3745a973b9/docs/checks.md#vulnerabilities        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

Repro steps:

  1. Get a Github personal API token and store in $TOKEN
  2. Run 
    docker run -e GITHUB_AUTH_TOKEN="${TOKEN}" gcr.io/openssf/scorecard:stable --repo=github.com/coconut-svsm/svsm
joergroedel commented 7 months ago

I will look into enabling the OpenSSF scorecard checks. Thanks for bringing this up.