improve repo's ossf scorecard's score

[sheerlox]

Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.

We are currently scoring 5.3/10:

Find below the checks we need to improve on and the associated remediation steps.

Poor scoring checks

How to improve check scores

• [x] Fuzzing

  • add fuzzing test cases. I've setup this on my import-from-esm package, see commit 9abddb5 (note: it uses ava but there's also a jest plugin).

• [x] SAST

  • run CodeQL checks in CI/CD by following the instructions here.

• [x] Security-Policy

  • add SECURITY.md (example).

• [x] Token Permissions

  • run StepSecurity and apply recommended policies.

• [x] Pinned-Dependencies

  • [x] setup already done in https://github.com/kelektiv/node-cron/pull/683.
  • [x] the Renovate app needs to be installed to this repository from https://github.com/apps/renovate.

• [x] Code Review

  • this is already enforced, so the score will improve over time (reviewed changesets pushed to main).

• [x] Vulnerabilities

  • [x] setup already done in https://github.com/kelektiv/node-cron/pull/683.
  • [x] the Renovate app needs to be installed to this repository from https://github.com/apps/renovate.

[sheerlox]

@intcreator could you please try to install the Renovate app to the repository? I think you might have the necessary rights.

I'll prepare a PR for all the other points, which should get our score up to about 9.

[sheerlox]

also regarding the security policy, we'd need an email address and PGP key accessible to the (main) maintainers. I'm unsure how to go about this, please let me know if you have any ideas!

[ncb000gt]

:tada: This issue has been resolved in version 3.1.5 :tada:

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot :package::rocket: