westes / flex

The Fast Lexical Analyzer - scanner generator for lexing in C and C++
Other
3.63k stars 536 forks source link

Add Scorecard Action to monitor project's security posture #589

Closed pnacht closed 11 months ago

pnacht commented 1 year ago

Hey, it's Pedro and I'm back (see #563 and #582) with another security suggestion:

I detected the issues fixed by those PRs by using Scorecard. It's a tool that scans a repository looking for settings that may make the project more vulnerable to supply-chain threats.

It is also available as the Scorecard Action, which continuously monitors the repository and adds security suggestions directly to the project's Security Panel. In doing so, it can let you know if something accidentally lowers the project's security posture.

I'll send a PR along with this issue adding the Action.

Spoiler alert: flex's current score of 7.2/10 places it in the top 5% of projects important to the open-source ecosystem!

Mightyjo commented 1 year ago

What's the code scanning part of the Security Panel look like? I see that the action is running on the Scorecard repo itself, but I get a 404 on its code-scanning page.

Edit: Nevermind, I see it's a page controlled by user/repo permissions.

pnacht commented 1 year ago

Yeah, that page is only visible to maintainers. But here's an example of what it'll look like with Scorecard's results:

Screenshot 2023-09-19 at 07 07 10

Each of those items lead to a page that explains why each thing is important and how to remediate the issue. Here's an example:

Screenshot 2023-09-09 at 13 41 06

You can dismiss any alerts you believe don't apply or aren't reasonable/feasible for your project, and those alerts won't be raised again.