Closed melba-lopez closed 1 year ago
Thank you!
You know you can send us some PR and possibly get rewarded at sos.dev, right?
I thought PRs were mostly meant for doc/code changes?? I know I am unable to make these changes myself since I don't have repo access. So not sure how that would work?
The permission changes could be changes you propose via a PR. If you identify some critical projects and get them to accept your PR, you can use sos.dev to be rewarded
Some config settings like branch protection cannot be changed via PR, you are correct.
Would adding permissions: read-all
to the GitHub action YAML files be sufficient to address the "Token Permissions should follow principle of least privilege" bullet point?
That's what my reading of the Scorecards documentation on token permissions remediation suggests.
If that's a correct interpretation, I'm glad to help out with a PR that adds this line repeatedly.
I thought we already set the permissions as read-only in all our workflows. If we don't for some, please feel free to send a PR
Huh, scorecard
says, as of 10/19/22 for this repo, 0/10
for Token-Permissions
and that non read-only tokens detected
. Let me do a little digging.
Could it be this line? https://github.com/slsa-framework/slsa-github-generator/blob/61d71969e88ad66f920aa17d86d822f428aa49cf/.github/workflows/generator_container_slsa3.yml#L88-L91
Seems like the keyless signing requires non-read permissions, so I'm not sure there's any way to get around this 0/10
Token-Permissions
scorecard score. If I am misunderstanding, please correct me and I'm glad to put in a PR.
You're right. Scorecard scoring is going to change in the next release to address this. See https://github.com/ossf/scorecard/issues/2338
We have a score of 9 now but I think we can close once we've completed the following tasks that were written in the description.
It seems that scorecard also dings us hard for using packages: write
. It's giving us a zero for the 'Token-Permissions' check.
This should go away with one of the future releases of Scorecard
We finished the tasks I mentioned above and now have a overall scorecard score if 9+ so I think we have completed this.
Describe the bug Improve repository's OpenSSF Scorecard score (currently at 7.1)
To Reproduce
docker run -e GITHUB_AUTH_TOKEN gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/slsa-framework/slsa-github-generator --format=json > scorecard_slsa-framework_slsa-github-generator.json
Expected behavior
Screenshots
Additional context Attempted to upload the JSON file, but github does not allow me to. Related to recommendation of securing our repos: https://github.com/slsa-framework/slsa/issues/424