Closed harshitasao closed 2 days ago
amoore877
commented
1 month ago Sounds like a potentially great gain; thanks for bringing this common benefit to SPIFFE.
amartinezfayo
commented
1 month ago Thank you @harshitasao for opening this issue and suggesting this addition, it looks promising!
Once the Scorecard GitHub Action is set up and running, the results can be displayed as a badge in the repository's README file. This badge serves as a quick indicator of the project's security posture, helping users and contributors evaluate the project's security practices quickly.
My understanding is that publishing results is an optional setting. I would like to learn more about how that works in case that the a code scanning alert is present, since the badge is updated on every run of scorecard-action and points to the latest result. My concern is that a badge showing security issues may be showed in our README, if we don't have control of how this is exposed. Is there a way to control this from what we see in the GitHub Security tab?
v0lkan
commented
1 month ago it looks like SPIRE maintainers are working to triage this; since this issue is against the SPIRE repo this is something they should be evaluating.
I agree. It's up to the maintainers to evaluate.
The upside of automating tooling is; well, it shifts things left, and removes human intervention.
The liability of automating the tooling is: Sometimes human intervention is necessary.
For example, you might be using a fuzzing framework that the tool cannot reliably detect; or you CI may be running in a certain way that it does not generate the coverage the tool expects etc.
--
That said, I overall like the idea.
I tried it on a separate (sister) project ( http://github.com/vmware-tanzu/secrets-manager ) and I got useful output.
harshitasao
commented
4 weeks ago Sounds like a potentially great gain; thanks for bringing this common benefit to SPIFFE.
- it looks like SPIRE maintainers are working to triage this; since this issue is against the SPIRE repo this is something they should be evaluating
- is the proposal only to add this tool to SPIRE, or are the other repos under the SPIFFE org also valid targets?
The tool can be added to any repository where it will be beneficial. I created issue for the SPIRE as it is one of the main repository, and having a scorecard tool for it will allow users and contributors to evaluate the project's security posture.
harshitasao
commented
4 weeks ago Thank you @harshitasao for opening this issue and suggesting this addition, it looks promising!
Once the Scorecard GitHub Action is set up and running, the results can be displayed as a badge in the repository's README file. This badge serves as a quick indicator of the project's security posture, helping users and contributors evaluate the project's security practices quickly.
My understanding is that publishing results is an optional setting. I would like to learn more about how that works in case that the a code scanning alert is present, since the badge is updated on every run of scorecard-action and points to the latest result. My concern is that a badge showing security issues may be showed in our README, if we don't have control of how this is exposed. Is there a way to control this from what we see in the GitHub Security tab?
Yes, adding a scorecard badge is optional; however, adding the badge serves as a quick indicator of the project's security posture. We don't have control over how the badge is exposed. The only way is to fix each check that is showing an error. Currently, the score is 7.1 for this project. As my next step, I will create a separate scorecard score improvement issue (like this) and fix each check where the score is dropping.
amartinezfayo
commented
2 days ago We don't have control over how the badge is exposed. The only way is to fix each check that is showing an error.
@harshitasao Unfortunately, having the badge exposing that the project has an open vulnerability is not something that we would be confortable with. As a general rule, we avoid disclosing information about security issues until they are patched. Thank you for opening this issue. I'm closing this.
Hi, I'm Harshita. I’m working with CNCF and the Google Open Source Security Team for the GSoC 2024 term. We are collaborating to enhance security practices across various CNCF projects. The goal is to improve security for all CNCF projects by both using OpenSSF Scorecards and implementing its security improvements.
The Open Source Security Foundation (OpenSSF) Scorecard is a tool designed to evaluate the security posture of open-source projects. This has the Scorecard GitHub Action, which automates the process by running security checks on the GitHub repository. By integrating this Action into the repository's workflow, developers can continuously monitor the project’s security posture. The Scorecard checks cover various security best practices and provide scores for multiple categories. Some checks include Code Reviews, Branch Protection, Signed Releases, etc.
The workflow runs on every change in the main branch. It publishes the Scorecard checks' results to the project's security dashboard and includes suggestions on how to solve any issues. This Action has already been adopted by 1800+ projects, with prominent users like Tensorflow, Angular, sos.dev, deps.dev, and many CNCF projects.
Once the Scorecard GitHub Action is set up and running, the results can be displayed as a badge in the repository's README file. This badge serves as a quick indicator of the project's security posture, helping users and contributors evaluate the project's security practices quickly.
Why is this needed:
The OpenSSF Scorecard improves open-source project's security by providing automated, transparent assessments of their security practices. It will help you identify vulnerabilities, adhere to best practices, and continuously enhance your security posture, increasing user trust and reducing the risk of security exploits.
I'll be the one to create the PR to add the scorecard GitHub action, and I will also work with you to remediate the identified vulnerabilities. I'll go through each scorecard check to see where the score has dropped and how it can be improved.
Would you be interested in a PR which adds this Action?
/cc @joycebrum @diogoteles08 @pnacht @nate-double-u