Improve Node.js Scorecard

nodejs / security-wg

Node.js Ecosystem Security Working Group

MIT License

498 stars 121 forks source link

Improve Node.js Scorecard #929

Closed RafaelGSS closed 11 months ago

RafaelGSS commented 1 year ago

Reference: https://github.com/nodejs/security-wg/blob/main/tools/ossf_scorecard/report.md

We need to:

[x] Enable code-scanning in the Node.js repository by setting a scorecard.yml (https://github.com/nodejs/node/pull/47254)
[x] Fix the warnings (feel free to update this list)
- [x] Pin actions by commit-hash (https://github.com/nodejs/node/pull/46820)
[x] Pin npm dependencies in our actions (https://github.com/nodejs/security-wg/issues/929#issuecomment-1623764056)

...

Note: we can use the StepSecurity for an automated PR.

RafaelGSS commented 1 year ago

Actually, there's already a PR for pinned actions https://github.com/nodejs/node/pull/46820

mateonunez commented 1 year ago

Hey @RafaelGSS, I would love to deep into this. Just a couple of questions:

The workflow should be set only in the main branch at push or we want to include also other stable branches ?
There's a specific scheduled time to run the workflow?

RafaelGSS commented 1 year ago

The workflow should be set only in the main branch at push or we want to include also other stable branches ?

main branch

There's a specific scheduled time to run the workflow?

You can use the same as the one we use for this repo.

mateonunez commented 1 year ago

I created this PR to increase the scorecard score by adding the missing dependencies: https://github.com/nodejs/node/pull/47346

I'm sure that by merging this we can get very close to score 10 on the topic "Pinned-Dependencies".

RafaelGSS commented 1 year ago

UPDATE from #945

Node.js score: 7.6 - 2023-04-08

RafaelGSS commented 1 year ago

UPDATE from https://github.com/nodejs/security-wg/issues/961

Repository	Commit	Score	Date	Difference	Report Link	StepSecurity Link
nodejs/node	2ac5e98	7.3	2023-04-26T08:57:49Z	-0.3	Full Report	Fix it

UlisesGascon commented 1 year ago

UPDATE from #981

Repository	Commit	Score	Date	Difference	Report Link	StepSecurity Link
nodejs/node	12a93ce	7.3	2023-05-10T08:02:33Z	0	Full Report	Fix it

RafaelGSS commented 1 year ago

As discussed in https://github.com/nodejs/security-wg/issues/1042, we can pin the node-core-utils in a package.json to run the command: https://github.com/nodejs/node/blob/main/tools/actions/start-ci.sh.

See: https://kooltheba.github.io/openssf-scorecard-api-visualizer/#/projects/github.com/nodejs/node/compare/2ac5e9889aba461f5a54d320973d2574980d206b/b5e16adb1d155759e7db405eead5a43cd425785d (pinned dependencies)

github-actions[bot] commented 1 year ago

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

RafaelGSS commented 11 months ago

I'm closing it since we've achieved our goal of improving the scorecard and now, we're monitoring the score on each meeting.