review token permissions (based on openssf scorecard recommendations)

theupdateframework / python-tuf

Python reference implementation of The Update Framework (TUF)

https://theupdateframework.com/

Apache License 2.0

1.62k stars 269 forks source link

review token permissions (based on openssf scorecard recommendations) #2116

Closed jku closed 1 year ago

jku commented 1 year ago

https://deps.dev/project/github/theupdateframework%2Fpython-tuf

expand token-permissions
click "show details"

We're getting 0/10 on the openssf scorecard for Token-Permissions. I think some of those may be flaws in the scorecard tool (output even mentions "known issues") but I think this warrants a closer read and possibly filing issues for fixing the problems.

jku commented 1 year ago

well, deps.dev doesn't list the scorecard for python-tuf anymore :(

We'll need to either setup the workflow on the project or someone runs scorecard on their own machine and pastes details here

jku commented 1 year ago

Btw, This search on http://console.cloud.google.com/bigquery using project "openssf" gives the most recent results: SELECT * FROM `openssf.scorecardcron.scorecard-v2_latest` WHERE repo.name="github.com/theupdateframework/python-tuf"

jku commented 1 year ago

well, deps.dev doesn't list the scorecard for python-tuf anymore :(

And now it does again 🤷‍♂️

Enabling scorecard as an action still makes sense I think