search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:
https://repo.saltproject.io/
Apache License 2.0
14.13k stars 5.47k forks source link

[FEATURE REQUEST] Add the OpenSSF Scorecard GitHub Action #62850

Open pnacht opened 1 year ago

pnacht commented 1 year ago

Is your feature request related to a problem? Please describe. Open-source supply-chain attacks are increasing every year. Beyond the infamous SolarWinds and Codecov attacks, there have also been multiple smaller but significant supply-chain disruptions such as left-pad, colors/faker.js, coa/rc and ua-parser-js.

Describe the solution you'd like I'm working on behalf of Google and the Open Source Security Foundation to help essential open-source projects improve their supply-chain security. Given salt's significant presence in the sensitive IT automation space, the OpenSSF has identified it as one of the 100 most critical open source projects.

Would you consider adopting an OpenSSF tool called Scorecards? Scorecards runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, in partnership with GitHub.

While glancing at salt's issues and PRs, I noticed the project's already interacted with the OpenSSF and Scorecards: #34597 suggested adding the OpenSSF (then Core Infrastructure Initiative, or CII) Best Practices badge and #62317 implemented a supply-chain security improvement suggested by Scorecards.

However, the OpenSSF has also developed the Scorecard GitHub Action, which aims to automate the detection of such improvements. The Action is very lightweight and runs on every change to the repository's main branch. The results of its checks are available on the project's security dashboard, and include suggestions on how to solve any issues (see examples below). Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README. This Action has been adopted by 1800+ projects already.

Would you be interested in a PR which adds this Action?

Code scanning dashboard with multiple alerts, including Code-Review and Token-Permissions

Detail of a Token-Permissions alert, indicating the specific file and remediation steps

welcome[bot] commented 1 year ago

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!