Closed jmeridth closed 4 months ago
jmeridth
commented
5 months ago Outstanding question from @zkoppert:
what system or process will we want to put in place to regularly review those scorecards and open issues for action items. Monthly review? Something else?
🤔
zkoppert
commented
5 months ago It would be cool if we could automatically open an issue when the scorecard goes below some threshold.
jmeridth
commented
4 months ago One of our biggest issues is pip dependencies not hashed. A good solution to this is moving to pipenv aka Pipfile and Pipfile.lock. The lock file will automatically contain all hashes for a dependency (similary to package-lock.json or Gemfile). I like this better than managing the hashes ourselves in the requirements.txt files.
I'm testing this move in https://github.com/github/stale-repos/pull/132
I've found two issues though:
pip install with hashes directly on the CLI. 🤦 <= 2021-05-29. Latest version is 2023.12.1. That is currently 88 versions/releases ahead of the supported version. 🤔 jmeridth
commented
4 months ago This is complete. We will iterate through the remediations.
Is your feature request related to a problem?
No visibilty of supply chain security in our GitHub Actions
Related OSPO Tool
automatic-contrib-prs GitHub Action, cleanowners GitHub Action, contributors GitHub Action, evergreen GitHub Action, issues-metrics GitHub Action, stale-repos GitHub Action
Describe the solution you'd like
Summary
Add the OSSF Scorecard GitHub Action so we can have automated supply chain security detection. Allows us to add badge to README to show users we are using open source security tooling.
Corresponding Work
Add Tasks that ladder up to this batch
Dependencies
OSSF Scorecard GitHub Action
Supporting Documentation
OSSF Scorecard GitHub Action
Describe alternatives you've considered
No response
Additional context
No response