search

smartcontractkit / chainlink

node of the decentralized oracle network, bridging on and off-chain computation
https://chain.link
MIT License
6.84k stars 1.65k forks source link

[FEAT] Run scorecard for automate analysis and trust decisions on the security posture #4532

Closed naveensrinivasan closed 2 years ago

naveensrinivasan commented 3 years ago

Description Run https://github.com/ossf/scorecard provides a way to automate analysis and trust decisions on the security posture. Scorecard takes the best practices and automates to help improve the security posture of the critical projects the world depends on.

Motivation For example the chainlink does not pin dependencies for the GitHub workflow which could become an issue and scorecard has checks to validate this.

Scorecard is a project https://openssf.org/ which is part of Linux Foundation.

chainlink scorecard results

``` { "Repo": "github.com/smartcontractkit/chainlink", "Date": "2021-06-09", "Checks": [ { "Name": "Active", "Details": [ "commits in last 90 days: 30" ], "Confidence": 10, "Pass": true }, { "Name": "Automatic-Dependency-Update", "Details": [ "dependabot config found: .github/dependabot.yml" ], "Confidence": 10, "Pass": true }, { "Name": "Branch-Protection", "Details": [ "error, retrying: GET https://api.github.com/repos/smartcontractkit/chainlink/branches/develop/protection: 404 Not Found []" ], "Confidence": 0, "Pass": false }, { "Name": "CI-Tests", "Details": [ "CI test found: pr: 4529, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/77b89c83bb6e12c59b90804ef51ca8a7ff89d8ceuccess", "CI test found: pr: 4524, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/58f5351ffef823215a93b68ab16c674af6ecfa4cuccess", "CI test found: pr: 4522, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/dbb854abcc27d424e6cd3502b6b8dc73c5e7c6e0uccess", "CI test found: pr: 4520, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/77e2285f1639004f069c9d8dbed0d21b41136888uccess", "CI test found: pr: 4519, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/9005e153ce0e306322020a2da3e815355d9b0b1fuccess", "CI test found: pr: 4517, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/50e9034438ac601aee05ced2e9d259974ab60c9auccess", "CI test found: pr: 4516, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/aeb16399a977d194427daded51e8d2f11f9bb15auccess", "CI test found: pr: 4515, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/be5287467f5276f14ac7a307ad256cf8a4b3efdeuccess", "CI test found: pr: 4512, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/785693a5223626f5e0b1e589cfbddd4c5cb2dcc1uccess", "CI test found: pr: 4511, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/9b6dc2e7df56614c99220c196f2f3bba8a3e698cuccess", "CI test found: pr: 4510, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/47d1cb0575928ff2a3cb227a94ce8795428a744buccess", "CI test found: pr: 4509, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/abcaa46fb1489c04b302b3cc8f977022fd19551auccess", "CI test found: pr: 4508, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/21b8b946d0672e807c38892b8f42af1b69e265e2uccess", "CI test found: pr: 4507, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/cacf21aaae406737877b4f4263910d1348d5ca37uccess", "CI test found: pr: 4506, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/dd59922980a413a7a57d885536f5ad939cee1e90uccess", "CI test found: pr: 4504, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/1135a0363e66a99544f5ae49d53c3ec64213a350uccess", "CI test found: pr: 4503, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/a911fc128c3b1041d99a3be5621c325850717514uccess", "CI test found: pr: 4500, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/7cc0ade435ae5942a6f2f8400ab71145bccacb9auccess", "CI test found: pr: 4499, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/ba18d3dfbf4f28cbb728562548e02d26a0d6d68euccess", "CI test found: pr: 4498, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/e3e43b70ea34877bd2430fb2ff277b540dbd6f2auccess", "CI test found: pr: 4497, context: ci/circleci: build-publish-chainlinkuccess, url: https://api.github.com/repos/smartcontractkit/chainlink/statuses/2b5eab152c08e7693c2af250dbce2d40a1b1ba30uccess", "found CI tests for 21 of 21 merged PRs" ], "Confidence": 10, "Pass": true }, { "Name": "CII-Best-Practices", "Details": [ "no badge found" ], "Confidence": 10, "Pass": false }, { "Name": "Code-Review", "Details": [ "found review approved pr: 4529", "found review approved pr: 4524", "found review approved pr: 4522", "found review approved pr: 4520", "found review approved pr: 4519", "found review approved pr: 4517", "found review approved pr: 4516", "found review approved pr: 4515", "found review approved pr: 4512", "found review approved pr: 4511", "found review approved pr: 4510", "found review approved pr: 4509", "found review approved pr: 4508", "found review approved pr: 4507", "found review approved pr: 4506", "found review approved pr: 4504", "found review approved pr: 4503", "found review approved pr: 4500", "found review approved pr: 4499", "found review approved pr: 4498", "found review approved pr: 4497", "github code reviews found" ], "Confidence": 10, "Pass": true }, { "Name": "Contributors", "Details": [ "companies found: Context-Travel,smartcontractkit,chainlink labs,recursecenter,learnscalability,NixOS,linkpoolio @smartcontractkit,smartcontract.com,MindLeaps,fremantle industries,news-hound,redal-eu" ], "Confidence": 10, "Pass": true }, { "Name": "Frozen-Deps", "Details": [ "go modules found: go.mod", "!! frozen-deps/github-actions - .github/workflows/build-publish-chainlink.yml has non-pinned dependency 'actions/checkout@v2' (job 'Build chainlink image')", "!! frozen-deps/github-actions - .github/workflows/build-publish-chainlink.yml has non-pinned dependency 'aws-actions/configure-aws-credentials@v1' (job 'Build chainlink image')", "!! frozen-deps/github-actions - .github/workflows/build-publish-chainlink.yml has non-pinned dependency 'aws-actions/amazon-ecr-login@v1' (job 'Build chainlink image')", "!! frozen-deps/github-actions - .github/workflows/build-publish-chainlink.yml has non-pinned dependency 'docker/build-push-action@v1' (job 'Build chainlink image')", "!! frozen-deps/github-actions - .github/workflows/cleanup-selfhosted-gha.yml has non-pinned dependency 'smartcontractkit/gha-cleanup@v0.0.1' (job 'Cleanup')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/checkout@v2' (job 'Solidity v0.6 tests')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/cache@v2' (job 'Solidity v0.6 tests')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/checkout@v2' (job 'Operator UI')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/cache@v2' (job 'Operator UI')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/checkout@v2' (job 'Yarn lint')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/cache@v2' (job 'Yarn lint')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/checkout@v2' (job 'Prettier formatting check')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/cache@v2' (job 'Prettier formatting check')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/checkout@v2' (job 'Prepublish NPM')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/cache@v2' (job 'Prepublish NPM')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/checkout@v2' (job 'Build chainlink image')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'aws-actions/configure-aws-credentials@v1' (job 'Build chainlink image')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'aws-actions/amazon-ecr-login@v1' (job 'Build chainlink image')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'docker/login-action@v1' (job 'Build chainlink image')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'docker/build-push-action@v1' (job 'Build chainlink image')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/checkout@v2' (job 'Solidity Linting')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/cache@v2' (job 'Solidity Linting')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/checkout@v2' (job 'Integration tests running ./compose ${{ matrix.test }} against ${{ matrix.node }}')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'docker/login-action@v1' (job 'Integration tests running ./compose ${{ matrix.test }} against ${{ matrix.node }}')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/upload-artifact@v1' (job 'Integration tests running ./compose ${{ matrix.test }} against ${{ matrix.node }}')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/checkout@v2' (job 'Solidity v0.8 tests')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/cache@v2' (job 'Solidity v0.8 tests')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/checkout@v2' (job 'Solidity')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/cache@v2' (job 'Solidity')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/checkout@v2' (job 'Solidity old versions')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/cache@v2' (job 'Solidity old versions')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/checkout@v2' (job 'Core Tests')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'docker://postgres' (job 'Core Tests')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/cache@v2' (job 'Core Tests')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/cache@v2' (job 'Core Tests')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'actions/upload-artifact@v1' (job 'Core Tests')", "!! frozen-deps/github-actions - .github/workflows/continuous-integration-workflow.yml has non-pinned dependency 'docker://docker:latest' (job 'Core Tests')", "!! frozen-deps/github-actions - .github/workflows/dependency-check.yml has non-pinned dependency 'actions/checkout@v2' (job 'Go')", "!! frozen-deps/github-actions - .github/workflows/dependency-check.yml has non-pinned dependency 'actions/setup-go@v2' (job 'Go')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/checkout@v2' (job 'vet')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/setup-go@v2' (job 'vet')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/checkout@v2' (job 'shadow')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/setup-go@v2' (job 'shadow')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/checkout@v2' (job 'staticheck')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/setup-go@v2' (job 'staticheck')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/checkout@v2' (job 'sec')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/setup-go@v2' (job 'sec')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/checkout@v2' (job 'lint')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/setup-go@v2' (job 'lint')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/checkout@v2' (job 'imports')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/setup-go@v2' (job 'imports')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/checkout@v2' (job 'errcheck')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/setup-go@v2' (job 'errcheck')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/checkout@v2' (job 'exportloopref')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/setup-go@v2' (job 'exportloopref')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/checkout@v2' (job 'exhaustive')", "!! frozen-deps/github-actions - .github/workflows/static.yml has non-pinned dependency 'actions/setup-go@v2' (job 'exhaustive')", "!! frozen-deps/github-actions - .github/workflows/sync-develop-from-smartcontractkit-chainlink.yml has non-pinned dependency 'actions/checkout@v2' (job 'Sync')", "!! frozen-deps/docker - core/chainlink.Dockerfile has non-pinned dependency '${BUILDER}:1.0.39'", "!! frozen-deps/docker - core/chainlink.Dockerfile has non-pinned dependency '${BUILDER}:1.0.39'", "!! frozen-deps/docker - core/chainlink.Dockerfile has non-pinned dependency 'ubuntu:18.04'", "!! frozen-deps/docker - integration/forks/geth/Dockerfile has non-pinned dependency 'ethereum/client-go'", "!! frozen-deps/docker - tools/cypress-job-server/Dockerfile has non-pinned dependency 'node:12.18.4-alpine'", "!! frozen-deps/docker - tools/docker/cldev.Dockerfile has non-pinned dependency 'smartcontract/builder:1.0.39'", "!! frozen-deps/docker - tools/docker/develop.Dockerfile has non-pinned dependency 'smartcontract/builder:1.0.39'", "!! frozen-deps/docker - tools/docker/integration.Dockerfile has non-pinned dependency 'smartcontract/builder:1.0.39'", "!! frozen-deps/docker - tools/docker/operatorui.Dockerfile has non-pinned dependency 'smartcontract/builder:1.0.39'", "!! frozen-deps/docker - tools/docker/ts-integration.Dockerfile has non-pinned dependency 'node:12.18'", "!! frozen-deps/docker - tools/docker/wait-postgres.Dockerfile has non-pinned dependency 'ubuntu:18.04'", "!! frozen-deps/docker - tools/echo-server/Dockerfile has non-pinned dependency 'node:12.18-alpine'", "!! frozen-deps/docker - tools/external-adapter/Dockerfile has non-pinned dependency 'node:12.18.4-alpine'", "!! frozen-deps/docker - tools/gethnet/Dockerfile has non-pinned dependency 'ethereum/client-go:v1.9.16'" ], "Confidence": 10, "Pass": false }, { "Name": "Fuzzing", "Details": null, "Confidence": 10, "Pass": false }, { "Name": "Packaging", "Details": [ "found docker publishing workflow: .github/workflows/build-publish-chainlink.yml", "found a completed run: https://github.com/smartcontractkit/chainlink/actions/runs/872047552" ], "Confidence": 10, "Pass": true }, { "Name": "Pull-Requests", "Details": [ "found commit with PR: d217e94bd8a133f920bc2fcadb838f02bb68fb23", "found commit with PR: 58f5351ffef823215a93b68ab16c674af6ecfa4c", "found commit with PR: 598a20d43ab0c5fec56fe22ad7ba908d16bb150d", "found commit with PR: 82be32f16c18cc0abd478335da11ff85d71b3f12", "found commit with PR: 7c85b58d6198b51864ace1c1f803f0de961667df", "found commit with PR: 77b89c83bb6e12c59b90804ef51ca8a7ff89d8ce", "found commit with PR: 879f02ad89f754beef77d0779fa056cec45cab99", "found commit with PR: aeb16399a977d194427daded51e8d2f11f9bb15a", "found commit with PR: 8866001f5ef3401b8add4cfecda237a692b17d64", "found commit with PR: 99a12062522eb786efc7f3b7d80ff563c8a68243", "found commit with PR: 9302e2cdaf30bfb52cdf65d318d9b0c643608f00", "found commit with PR: f01f4b9076cf0d694b1832b39d10aff010f45933", "found commit with PR: dbb854abcc27d424e6cd3502b6b8dc73c5e7c6e0", "found commit with PR: 77464467d905db892fd2ffb0b9610514dac1ef3e", "found commit with PR: 06be6fd8bd6a0a473a96b65ff9c5dee1869659a0", "found commit with PR: 6d48a1d75247c0b64a21bf446b0fe4f720e5fa51", "found commit with PR: 13461057076f1058adb1f7eb0affb25a6526ba41", "found commit with PR: 77bf910a812cef75941b14cf2b981be4cb5d7b40", "found commit with PR: b40d7a3771b427b00938673ecc32713ed928c3af", "found commit with PR: 77811986a82fd9b2818703ca95dd358618d79788", "found commit with PR: 0ef85948110e7c56250a36c6c11143a790cbfccb", "found commit with PR: 97d228706344e1bf7963e2f5c0b94ef13b81d0ee", "found commit with PR: 12a58c581210b0ad658dce3c281ec5b8c3ad29da", "found commit with PR: ee04730fde1157f61565a241c8945052797f64b8", "found commit with PR: fb5bccd45f8cb07ff9960c0863930299e6b6ebc2", "found commit with PR: d4fbbdd50be69d008a56a189162d0cfa7ff8fdbb", "found commit with PR: 50e9034438ac601aee05ced2e9d259974ab60c9a", "found commit with PR: 19844b650fe799cc5ca3489e10979b2723cc9e0c", "found commit with PR: 46f55ee8661cd5d503aa91b0aec7eaa473ab2f17", "found commit with PR: 261e114ca894e122f88b22c37f2cf0e0ca0b45d4", "found PRs for 30 out of 30 commits" ], "Confidence": 10, "Pass": true }, { "Name": "SAST", "Details": [ "found CodeQL definition: .github/workflows/codeql-analysis.yml" ], "Confidence": 10, "Pass": true }, { "Name": "Security-Policy", "Details": [ "error, retrying: GET https://api.github.com/repos/smartcontractkit/.github: 404 Not Found []" ], "Confidence": 0, "Pass": false }, { "Name": "Signed-Releases", "Details": [ "no releases found" ], "Confidence": 0, "Pass": false }, { "Name": "Signed-Tags", "Details": [ "!! unable to find the annotated commit: 1f76904abc1016d1d1c3946676a3fa125e33e550", "!! unable to find the annotated commit: 0fee9cbc43903a1555ad81185a5befc9954651f7", "!! unable to find the annotated commit: 3c16b7bffbea944ec3f0b3222c97fc834b12c37e", "!! unable to find the annotated commit: 6604a647da8af2e0daafb652af13a420b7128f9c", "!! unverified tag found: vtest-2020-03-03, commit: f89ab16b40d05dbd80da9e220162acb3aae4a68c, reason: unsigned", "found 0 out of 5 verified tags" ], "Confidence": 10, "Pass": false }, { "Name": "Token-Permissions", "Details": [ "!! token-permissions/github-token - no permission defined in .github/workflows/build-publish-chainlink.yml", "!! token-permissions/github-token - no permission defined in .github/workflows/changelog.yml", "!! token-permissions/github-token - no permission defined in .github/workflows/cleanup-selfhosted-gha.yml", "!! token-permissions/github-token - no permission defined in .github/workflows/codeql-analysis.yml", "!! token-permissions/github-token - no permission defined in .github/workflows/continuous-integration-workflow.yml", "!! token-permissions/github-token - no permission defined in .github/workflows/dependency-check.yml", "!! token-permissions/github-token - no permission defined in .github/workflows/static.yml", "!! token-permissions/github-token - no permission defined in .github/workflows/sync-develop-from-smartcontractkit-chainlink.yml" ], "Confidence": 10, "Pass": false } ], "Metadata": null } ```

ZakAyesh commented 3 years ago

Thanks for suggesting this! Will open this feature request for votes.

PatrickAlphaC commented 2 years ago

Closing for now. Will keep the needs votes label if others want to partake.