search

fullstorydev / grpcurl

Like cURL, but for gRPC: Command-line tool for interacting with gRPC servers
MIT License
10.35k stars 497 forks source link

Add the OpenSSF Scorecard Github Action #447

Open wwuck opened 3 months ago

wwuck commented 3 months ago

Would you be interested if I submit a PR to add the OpenSSF Scorecard github action?

https://github.com/ossf/scorecard https://github.com/ossf/scorecard-action

Example from another project: https://github.com/docker/compose/issues/9845

wwuck commented 3 months ago

To add a bit more information, I followed the CLI instructions on the scorecards website to run a manual scan on this project.

docker run -e GITHUB_AUTH_TOKEN=<public_repo_token> gcr.io/openssf/scorecard:stable --repo=github.com/fullstorydev/grpcurl
Starting [Contributors]
Starting [Vulnerabilities]
Starting [Pinned-Dependencies]
Starting [Token-Permissions]
Starting [Binary-Artifacts]
Starting [SAST]
Starting [CI-Tests]
Starting [Dangerous-Workflow]
Starting [Maintained]
Starting [Signed-Releases]
Starting [License]
Starting [Packaging]
Starting [Dependency-Update-Tool]
Starting [Code-Review]
Starting [Security-Policy]
Starting [CII-Best-Practices]
Starting [Fuzzing]
Starting [Branch-Protection]
Finished [CII-Best-Practices]
Finished [Fuzzing]
Finished [Branch-Protection]
Finished [Contributors]
Finished [Vulnerabilities]
Finished [Pinned-Dependencies]
Finished [Token-Permissions]
Finished [Binary-Artifacts]
Finished [SAST]
Finished [CI-Tests]
Finished [Dangerous-Workflow]
Finished [Maintained]
Finished [Signed-Releases]
Finished [License]
Finished [Packaging]
Finished [Dependency-Update-Tool]
Finished [Code-Review]
Finished [Security-Policy]

RESULTS
-------
Aggregate score: 6.8 / 10

Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo  | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#binary-artifacts       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 8 / 10  | Branch-Protection      | branch protection is not       | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all |                                                                                                                       |
|         |                        | release branches               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests               | 29 out of 29 merged PRs        | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | CII-Best-Practices     | no effort to earn an OpenSSF   | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#cii-best-practices     |
|         |                        | best practices badge detected  |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10  | Code-Review            | found 1 unreviewed changesets  | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#code-review            |
|         |                        | out of 18 -- score normalized  |                                                                                                                       |
|         |                        | to 9                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | project has 3 contributing     | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#contributors           |
|         |                        | companies or organizations --  |                                                                                                                       |
|         |                        | score normalized to 10         |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected           | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Fuzzing                | project is not fuzzed          | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#fuzzing                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#license                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 10 commit(s) and 2 issue       | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#maintained             |
|         |                        | activity found in the last 90  |                                                                                                                       |
|         |                        | days -- score normalized to 10 |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Packaging              | packaging workflow not         | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#packaging              |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   |                                                                                                                       |
|         |                        | to 0                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | SAST                   | SAST tool is not run on all    | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#sast                   |
|         |                        | commits -- score normalized to |                                                                                                                       |
|         |                        | 0                              |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Security-Policy        | security policy file not       | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#security-policy        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Signed-Releases        | Project has not signed or      | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#signed-releases        |
|         |                        | included provenance with any   |                                                                                                                       |
|         |                        | releases.                      |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Token-Permissions      | GitHub workflow tokens follow  | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#token-permissions      |
|         |                        | principle of least privilege   |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | 0 existing vulnerabilities     | https://github.com/ossf/scorecard/blob/f1e703f5006c2cd8d27c86368f0aed0fd286a976/docs/checks.md#vulnerabilities        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|