Open UlisesGascon opened 5 months ago
dougwilson
commented
5 months ago If we're in agreement, I can start with the Express project to showcase the process. 👍
Go for it. And if it makes it amy easier you are always welcome to start with any of the smaller, simplier middleware repos.
inigomarquinez
commented
4 months ago Good afternoon!
I've had a chat with @UlisesGascon to tell him that I am interested in contributing to this initiative, as the OpenSSF Scorecard is something that I like and that I have also helped to implement in the Open Source community of the company where I work.
UlisesGascon
commented
4 months ago Yeah! Welcome aboard @inigomarquinez 🎉
carpasse
commented
4 months ago Good Morning!
I've also had a chat with @UlisesGascon and I am interested in contributing to this initiative too.
UlisesGascon
commented
4 months ago As discussed with @inigomarquinez, he will champion this initiative 🎉
inigomarquinez
commented
4 months ago Thanks for the opportunity @UlisesGascon !
UlisesGascon
commented
3 months ago We have a dashboard now https://github.com/expressjs/security-wg/blob/main/tools/ossf_scorecard/report.md and a GitHub Action to update the reports :partying_face:
inigomarquinez
commented
2 weeks ago We can say that the implementation of the scorecard has been completed in most of the organisations' repositories expressjs, pillarjs and jshttp. The implementation has been the same in all cases, adding a github action in each repository called scorecard.yml (see example here). This action is executed both with each push to master and weekly via a cronjob.
Some repositories of the 3 organisations have been discarded and the scorecard has not been integrated in them for several reasons: they have been deprecated, they have not been updated for a long time (more than 10 years), they are not applicable (documentation repositories) or they have a very low level of downloads and it is more than likely that in the near future they will be archived.
After finalising the integration, the next step is to analyse the scores in the individual repositories and take suggested actions to improve these scores.
@UlisesGascon , should we mark this issue as closed?
UlisesGascon
commented
2 weeks ago Thanks for all the hard work @inigomarquinez and @carpasse!
@UlisesGascon , should we mark this issue as closed?
I prefer to keep it open until the PRs related to the Express repo are merged, so we can have a clear policy on how to patch the other repositories.
Some time ago, we implemented the monitoring and review of the OSSF scorecard in the Node.js org, and it significantly contributed to the improvement of many repositories. I believe adopting a similar approach for Express would be highly beneficial. We've developed tools, such as the OpenSSF Scorecard Monitor and OpenSSF Scorecard Visualizer, along with processes that make handling the evolution of scoring straightforward. Despite initial appearances, the process is quite simple.
Context
Resources
Next Steps:
I'm enthusiastic about leading these changes in the repos. While we may not be familiar with the OSSF Scorecard, we already have scores for most of our projects. Here is a simple dashboard that I auto-generated. The OSSF team is already tracking our projects using a CRON job, but we can easily enrich them and make some simple patches to increase the scoring.
Most of these changes won't require significant alterations and can be performed in isolated PRs, making them easy to review. If we're in agreement, I can start with the Express project to showcase the process. 👍