r0qs
commented
2 years ago Hi @joycebrum, thanks for the suggestion. What are the security checks that the action will perform? And what permissions would scorecard action require?
Closed joycebrum closed 2 years ago
r0qs
commented
2 years ago Hi @joycebrum, thanks for the suggestion. What are the security checks that the action will perform? And what permissions would scorecard action require?
joycebrum
commented
2 years ago Hi @joycebrum, thanks for the suggestion. What are the security checks that the action will perform? And what permissions would scorecard action require?
Hi @r0qs, thanks for the return about the issue.
About the security checks, all security checks can be found at Scorecard Checks, where you can find a link to see it check in details. Any doubts about the checks I'll be happy to help.
About the permissions that would be needed to enable the scorecard action:
permissions: read-all - default permission as read onlysecurity-events: write - the Scorecards analysis job will have this permission to upload the results to the code-scanning at the security dashboardid-token: write - it is optional, it is only necessary if you decide to use the badge.publish_results: true - it is also optional and it is only necessary if you decide to use the badge. It publishs the results for public repositories to enable scorecard badges. For more details, see https://github.com/ossf/scorecard-action#publishing-results.repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - it is a optional Read-only PAT token that can be configured to enable the Branch-Protection check. This is currently the only check that needs this token. In the PR I can not submit with this token because it has to be created by you through the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. After this you would only need to uncomment the line with repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} in the scorecards.yml file.r0qs
commented
2 years ago Hi @joycebrum, thanks for the details. Maybe we could give it a try, but it will require a discussion with the rest of the team. Could you open a PR adding the action? I think we can initially only use the minimum required permissions and features.
Hello, I am Joyce and I'm working on behalf of Google and the Open Source Security Foundation to help essential open-source projects improve their supply-chain security. Given the solc-js relevance to provide JavaScript bindings for the Solidity compiler, the OpenSSF has identified it as one of the 100 most critical open source projects.
Would you consider adopting an OpenSSF tool called Scorecards? Scorecards runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, in partnership with GitHub.
I've seen that you already follow many security guidelines such as CI-Tests, Code Review, No Dangerous-Workflow, and no known Vulnerabilities detected, but there are still some criterias that would help to increase the project's security if you work on that. The Scorecard could help you in diagnosing and solving those security risks.
To simplify maintainers' lives, the OpenSSF has also developed the Scorecard GitHub Action. It is very lightweight and runs on every change to the repository's main branch. The results of its checks are available on the project's security dashboard, and include suggestions on how to solve any issues (see examples below). The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already.
Would you be interested in a PR that adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.