Improve OpenSSF Scorecard Score

[pjbgf]

"The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects."

As of 3rd January, fluxcd/pkg scores 6.2/10. For latest score check deps.dev or manually execute scorecard.

Areas to focus on:

• Token-Permissions
• Pinned-Dependencies
• CII-Best-Practices
• Fuzzing
  • https://github.com/fluxcd/pkg/pull/212
  • https://github.com/fluxcd/pkg/pull/150

[hiddeco]

The statistics shown there are outdated, as we moved from <semver> to <module>/<semver> after the creation of the repository. See e.g. https://deps.dev/go/github.com%2Ffluxcd%2Fpkg%2Fruntime

[pjbgf]

@hiddeco the security advisories is indeed out of date. But the OpenSSF scorecard is at GitHub repository level, so should be the same across all modules.

[justaugustus]

Hey folks, (new) Scorecard maintainer here! I see @pjbgf on OpenSSF, but just wanted to invite you all to file feature requests/bugs on https://github.com/ossf/scorecard/issues and we'll take a peek. :)

[laurentsimon]

There's an easy way to keep track of scorecard issues using the action https://github.com/ossf/scorecard-action It's integrated in the GitHub scanning dashboard. Don't forget that the hard work you put it could be rewarded via sos.dev!

[pjbgf]

@justaugustus okie dokie, I previously reported issues by email. From now on will do via that repo. Thanks for the heads up. :+1:

[pjbgf]

There's an easy way to keep track of scorecard issues using the action https://github.com/ossf/scorecard-action

@laurentsimon nice one, I will take a look at the action.