setup OSSF Scorecard workflow #1432
Conversation
|
Hey 👋 -- thanks for the contribution. Could you provide details about the OSSF scorecard and why we want to maintain it? Please assume I have no knowledge about what it is 😬 |
|
Ossf is open source security foundation. The workflow is here to create a report that will help maintainers reduce security risk on their project with advices. See the badge I added in the description. |
|
I was taking a look at the report provided by the badge, I'm not sure I understood why we got 0 with Token-Permissions. I don't guarantee that all permissions were configured following the least-privilege principle, but I'm pretty sure most of them are needed. Do we need to configure exceptions somewhere? |
|
This PR is also making changes to Dockerfile, which doesn't seem related to the OSSF scorecard, could we split it into a separate PR? It could make the merge process faster, at least for the Dockerfile changes |
|
It is related as ossf ask for dependencies to use pinned version for docker as for github-actions. I’m fine seing this in a following pr |
Yeah, I imagine that would be the reason :P I just meant that the changes for the Dockerfile we could merge without problems already, so opening a separate PR would unblock this For the OSSF scorecard, I'm still struggling to understand why we got a 0 score for github actions that need those permissions to run. I couldn't find ways to add exceptions for those checks 🤔 |
mmorel-35
force-pushed
the
ossf
branch
3 times, most recently
from
8f690be
to
4de8a80
Compare
@mmorel-35 Are there any quick wins that we could fix before putting this to the README? |
|
Maybe change permissions on the workflows? |
mmorel-35
requested review from
ArthurSens,
bwplotka,
kakkoyun and
vesari
as code owners
Signed-off-by: Matthieu MOREL <[email protected]>
Also pin github-actions versions
Signed-off-by: Matthieu MOREL [email protected]