Closed joycebrum closed 1 year ago
serathius
commented
1 year ago I'm ok with this, assuming that it will be a non blocking workflow. We already had a bad experience with CodeQL analysis making breaking changes that blocked PRs and were nontrivial to resolve. We don't have maintainer capacity to resolve all the issues, still having such dashboard should help everyone to see gaps and contribute fixes.
cc @ahrtr @spzala to confirm
ahrtr
commented
1 year ago Thanks @joycebrum .
Two questions:
Golang? scorecard and (govulncheck or other similar tools)? FYI https://github.com/etcd-io/etcd/issues/14449 cc @vivekpatani 
joycebrum
commented
1 year ago Hi @ahrtr
About your questions:
Does scorecard only support Golang?
No, the Scorecard does not look to the program language thus can be supported in any program language projects
Have you compared the difference (cons vs pros) between scorecard and (govulncheck or other similar tools)? FYI https://github.com/etcd-io/etcd/issues/14449 cc @vivekpatani
I think each tool does different things. As far as I've seen about the govulncheck, it helps to track and solve known vulnerabilities in importable packages in public Go modules, being specific to the Golang itself. The Scorecard is related to Security Best Practices, which is more related to a "Security Posture".
Maybe the Pinned-Dependencies and the Dependency-Update-Tool check tool, if attended, would provide a similar feedback about the dependencies, but in fact the govulncheck would guarantee it in a very greater level. In the end, I would recommend to adopt both tools, since one does not cover the other.
Just for a better understanding of what really scorecard is checking on your repository to improve it's Security Posture, here you can see all the current checks that Scorecard runs.
And just to confirm to @serathius, the Scorecard Github Action is a non blocking workflow, it does not intaract with PRs or other workflows, it just allows you to see and solve the security risks that were identified the time you want.
ahrtr
commented
1 year ago Thanks @joycebrum for the clarification, and it makes sense to me.
Please feel free to deliver a PR for this if there is no any objections. We can have more discussion in the PR to be delivered.
What would you like to be added?
Hi I am Joyce and I'm working on behalf of Google and the Open Source Security Foundation to help essential open-source projects improve their supply-chain security. Given the etcd relevance in the open-source area we want to offer our support to improve the project's security posture.
I would like to propose the adoption of the OpenSSF's Scorecard GitHub Action. The Scorecards runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, in partnership with GitHub.
It is very lightweight and runs on every change to the repository's main branch. The results of its checks are available on the project's security dashboard, and include suggestions on how to solve any issues (see examples below). The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already.
Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.
Why is this needed?
According to Open Source Security and Risk Analysis Report, 84% of all codebases have at least one vulnerability, with an average of 158 per codebase. The majority have been in the code for more than 2 years and have documented solutions available.
Even in large tech companies, the tedious process of reviewing code for vulnerabilities falls down the priority list, and there is little insight into known vulnerabilities and solutions that companies can draw on.
That’s where the OpenSSF tool called Scorecards is helping. Its focus is to understand the security posture of a project and assess the risks that the dependencies could introduce.
In the case of the etcd project, you are already in greatest level of security regarding the criterias Binary-Artifacts, CI-Tests, Fuzzing, Vulnerabilities and some others, but there are still many criterias that would need your attention.
The OpenSSF Scorecard Github Action will help you on idenfying which security risks exists in your project, which you should focus first and how could you solve them.