search

gatsbyjs / gatsby

The best React-based framework with performance, scalability and security built in.
https://www.gatsbyjs.com
MIT License
55.27k stars 10.32k forks source link

Add OSSF Scorecard security workflow #38255

Closed 5minpause closed 1 year ago

5minpause commented 1 year ago

I tested this project using OSSF Scorecard by the Open Source Security Foundation. Their aim is:

We created Scorecard to help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe.

Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.

Unfortunately, this project only received a value of 6.2/10

Please follow these steps to add the Action to the codescanning suite to ensure this project continues to stays safe Steps to install the workflow

Results of the scan


RESULTS
-------
Aggregate score: 6.2 / 10

Check scores:
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |                                                  REASON                                                   |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo                                                                             | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#binary-artifacts       |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Branch-Protection      | internal error: error during                                                                              | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#branch-protection      |
|         |                        | branchesHandler.setup:                                                                                    |                                                                                                                       |
|         |                        | internal error:                                                                                           |                                                                                                                       |
|         |                        | githubv4.Query: Resource not                                                                              |                                                                                                                       |
|         |                        | accessible by personal access                                                                             |                                                                                                                       |
|         |                        | token                                                                                                     |                                                                                                                       |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | CI-Tests               | internal error: internal error: Client.Repositories.ListStatuses: internal error: ListStatuses: Get       | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#ci-tests               |
|         |                        | "https://api.github.com/repos/gatsbyjs/gatsby/commits/442cb84ad802a1eb7f3baba99795a56e8d68c4ad/statuses": |                                                                                                                       |
|         |                        | internal error: innerTransport.RoundTrip: internal error: innerTransport.RoundTrip: error in HTTP: read   |                                                                                                                       |
|         |                        | tcp 192.168.2.68:60364->140.82.121.5:443: read: connection reset by peer                                  |                                                                                                                       |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | CII-Best-Practices     | no badge detected                                                                                         | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#cii-best-practices     |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Code-Review            | found 5 unreviewed human                                                                                  | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#code-review            |
|         |                        | changesets                                                                                                |                                                                                                                       |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Contributors           | internal error: Client.Repositories.ListContributors:                                                     | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#contributors           |
|         |                        | error during contributorsHandler.setup:                                                                   |                                                                                                                       |
|         |                        | error during ListContributors: Get                                                                        |                                                                                                                       |
|         |                        | "https://api.github.com/repos/gatsbyjs/gatsby/contributors":                                              |                                                                                                                       |
|         |                        | internal error: innerTransport.RoundTrip: internal                                                        |                                                                                                                       |
|         |                        | error: innerTransport.RoundTrip: error in HTTP: read tcp                                                  |                                                                                                                       |
|         |                        | 192.168.2.68:60364->140.82.121.5:443: read: connection reset                                              |                                                                                                                       |
|         |                        | by peer                                                                                                   |                                                                                                                       |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns                                                                            | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#dangerous-workflow     |
|         |                        | detected                                                                                                  |                                                                                                                       |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Dependency-Update-Tool | no update tool detected                                                                                   | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#dependency-update-tool |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Fuzzing                | project is not fuzzed                                                                                     | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#fuzzing                |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected                                                                                     | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#license                |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 30 commit(s) out of 30 and 1                                                                              | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#maintained             |
|         |                        | issue activity out of 30 found                                                                            |                                                                                                                       |
|         |                        | in the last 90 days -- score                                                                              |                                                                                                                       |
|         |                        | normalized to 10                                                                                          |                                                                                                                       |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Packaging              | no published package detected                                                                             | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#packaging              |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 5 / 10  | Pinned-Dependencies    | dependency not pinned by hash                                                                             | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized                                                                              |                                                                                                                       |
|         |                        | to 5                                                                                                      |                                                                                                                       |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | SAST                   | SAST tool is not run on all                                                                               | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#sast                   |
|         |                        | commits -- score normalized to                                                                            |                                                                                                                       |
|         |                        | 0                                                                                                         |                                                                                                                       |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy        | security policy file detected                                                                             | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#security-policy        |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Signed-Releases        | no releases found                                                                                         | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#signed-releases        |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Token-Permissions      | tokens are read-only in GitHub                                                                            | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#token-permissions      |
|         |                        | workflows                                                                                                 |                                                                                                                       |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | no vulnerabilities detected                                                                               | https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#vulnerabilities        |
|---------|------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
LekoArts commented 1 year ago

Hi, thanks for the issue and suggestion!

We have an internal security team that looks after our projects and makes sure that we do our best to keep our software safe. We have CI tools we're familiar with already and use it where necessary. The report from this tool doesn't give me confidence as it already declared multiple things incorrectly. As such, I don't think we should add this.