Add OSSF Scorecard #1104
Merged
Add OSSF Scorecard #1104
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add GitHub Actions workflow to compute OSSF Scorecard. - Add CodeQL. - Pin GitHub Actions workflow versions. - Add explicit permissions to GitHub Actions workflows. - Add security policy.
Merged
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1104 +/- ##
==========================================
- Coverage 77.69% 77.67% -0.02%
==========================================
Files 199 199
Lines 4748 4744 -4
Branches 846 846
==========================================
- Hits 3689 3685 -4
Misses 854 854
Partials 205 205
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
`branch_protection_rule` needs a GitHub PAT.
|
Initial scorecard scan from The current score is 6.7. Scorecard{
"date": "2023-04-12T10:51:51Z",
"repo": {
"name": "github.com/App-vNext/Polly",
"commit": "2b1116bca1daed62d4fc093676e9f3b0190015c9"
},
"scorecard": {
"version": "v4.10.5",
"commit": "27cfe92ed356fdb5a398c919ad480817ea907808"
},
"score": 6.7,
"checks": [
{
"name": "Binary-Artifacts",
"score": 10,
"reason": "no binaries found in the repo",
"details": null,
"documentation": {
"short": "Determines if the project has generated executable (binary) artifacts in the source repository.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#binary-artifacts"
}
},
{
"name": "Branch-Protection",
"score": -1,
"reason": "internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration",
"details": null,
"documentation": {
"short": "Determines if the default and release branches are protected with GitHub's branch protection settings.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#branch-protection"
}
},
{
"name": "CI-Tests",
"score": 10,
"reason": "27 out of 27 merged PRs checked by a CI test -- score normalized to 10",
"details": null,
"documentation": {
"short": "Determines if the project runs tests before pull requests are merged.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#ci-tests"
}
},
{
"name": "CII-Best-Practices",
"score": 5,
"reason": "badge detected: passing",
"details": null,
"documentation": {
"short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#cii-best-practices"
}
},
{
"name": "Code-Review",
"score": 0,
"reason": "found 2 unreviewed human changesets",
"details": null,
"documentation": {
"short": "Determines if the project requires code review before pull requests (aka merge requests) are merged.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#code-review"
}
},
{
"name": "Contributors",
"score": 10,
"reason": "21 different organizations found -- score normalized to 10",
"details": [
"Info: contributors work for App-vNext,FluentDateTime,Fody,LearningLine,NServiceBusExtensions,OrleansContrib,Polly-Contrib,VerifyTests,abl - the problem solver,app-vnext,aspnet-contrib,dotnet-foundation,justeat,justeattakeaway,microsoft,msmvps,ngenerics,pmcau,shouldly,youscan,youscan.io"
],
"documentation": {
"short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies).",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#contributors"
}
},
{
"name": "Dangerous-Workflow",
"score": 10,
"reason": "no dangerous workflow patterns detected",
"details": null,
"documentation": {
"short": "Determines if the project's GitHub Action workflows avoid dangerous patterns.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#dangerous-workflow"
}
},
{
"name": "Dependency-Update-Tool",
"score": 10,
"reason": "update tool detected",
"details": [
"Info: Dependabot detected: .github/dependabot.yml:1"
],
"documentation": {
"short": "Determines if the project uses a dependency update tool.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#dependency-update-tool"
}
},
{
"name": "Fuzzing",
"score": 0,
"reason": "project is not fuzzed",
"details": null,
"documentation": {
"short": "Determines if the project uses fuzzing.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#fuzzing"
}
},
{
"name": "License",
"score": 10,
"reason": "license file detected",
"details": [
"Info: License file found in expected location: LICENSE:1",
"Info: FSF or OSI recognized license: LICENSE:1"
],
"documentation": {
"short": "Determines if the project has defined a license.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#license"
}
},
{
"name": "Maintained",
"score": 10,
"reason": "30 commit(s) out of 30 and 7 issue activity out of 30 found in the last 90 days -- score normalized to 10",
"details": null,
"documentation": {
"short": "Determines if the project is \"actively maintained\".",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#maintained"
}
},
{
"name": "Packaging",
"score": -1,
"reason": "no published package detected",
"details": [
"Warn: no GitHub publishing workflow detected"
],
"documentation": {
"short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#packaging"
}
},
{
"name": "Pinned-Dependencies",
"score": 10,
"reason": "all dependencies are pinned",
"details": [
"Info: GitHub-owned GitHubActions are pinned",
"Info: Third-party GitHubActions are pinned",
"Info: Dockerfile dependencies are pinned",
"Info: no insecure (not pinned by hash) dependency downloads found in Dockerfiles",
"Info: no insecure (not pinned by hash) dependency downloads found in shell scripts"
],
"documentation": {
"short": "Determines if the project has declared and pinned the dependencies of its build process.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#pinned-dependencies"
}
},
{
"name": "SAST",
"score": -1,
"reason": "internal error: Client.Search.Code: Search.Code: GET https://api.github.com/search/code?q=github+codeql-action+analyze+repo%3AApp-vNext%2FPolly+path%3A%2F.github%2Fworkflows: 403 You have exceeded a secondary rate limit. Please wait a few minutes before you try again. []",
"details": [
"Warn: 1 commits out of 30 are checked with a SAST tool"
],
"documentation": {
"short": "Determines if the project uses static code analysis.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#sast"
}
},
{
"name": "Security-Policy",
"score": 10,
"reason": "security policy file detected",
"details": [
"Info: Found linked content in security policy: SECURITY.md",
"Info: Found text in security policy: SECURITY.md",
"Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md",
"Info: security policy detected in current repo: SECURITY.md"
],
"documentation": {
"short": "Determines if the project has published a security policy.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#security-policy"
}
},
{
"name": "Signed-Releases",
"score": 0,
"reason": "0 out of 5 artifacts are signed or have provenance",
"details": [
"Warn: release artifact 7.2.3+24 does not have provenance: https://api.github.com/repos/App-vNext/Polly/releases/57297713",
"Warn: release artifact 7.2.3+24 not signed: https://api.github.com/repos/App-vNext/Polly/releases/57297713",
"Warn: release artifact 7.2.2+9 does not have provenance: https://api.github.com/repos/App-vNext/Polly/releases/41244497",
"Warn: release artifact 7.2.2+9 not signed: https://api.github.com/repos/App-vNext/Polly/releases/41244497",
"Warn: release artifact 7.2.1+7 does not have provenance: https://api.github.com/repos/App-vNext/Polly/releases/26104659",
"Warn: release artifact 7.2.1+7 not signed: https://api.github.com/repos/App-vNext/Polly/releases/26104659",
"Warn: release artifact 7.2.0+37 does not have provenance: https://api.github.com/repos/App-vNext/Polly/releases/21813130",
"Warn: release artifact 7.2.0+37 not signed: https://api.github.com/repos/App-vNext/Polly/releases/21813130",
"Warn: release artifact 7.1.0+21 does not have provenance: https://api.github.com/repos/App-vNext/Polly/releases/16101775",
"Warn: release artifact 7.1.0+21 not signed: https://api.github.com/repos/App-vNext/Polly/releases/16101775"
],
"documentation": {
"short": "Determines if the project cryptographically signs release artifacts.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#signed-releases"
}
},
{
"name": "Token-Permissions",
"score": 0,
"reason": "non read-only tokens detected in GitHub workflows",
"details": [
"Info: High severity: topLevel 'contents' permission set to 'read': .github/workflows/build.yml:11",
"Info: High severity: topLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:13",
"Info: High severity: topLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:14",
"Warn: High severity: topLevel 'security-events' permission set to 'write': .github/workflows/codeql-analysis.yml:15: Visit https://app.stepsecurity.io/secureworkflow/App-vNext/Polly/codeql-analysis.yml/main?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
"Info: High severity: topLevel permissions set to 'read-all': .github/workflows/ossf-scorecard.yml:10",
"Warn: High severity: topLevel 'contents' permission set to 'write': .github/workflows/update-dotnet-sdk.yml:9: Visit https://app.stepsecurity.io/secureworkflow/App-vNext/Polly/update-dotnet-sdk.yml/main?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
"Info: Medium severity: no jobLevel write permissions found"
],
"documentation": {
"short": "Determines if the project's workflows follow the principle of least privilege.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#token-permissions"
}
},
{
"name": "Vulnerabilities",
"score": 10,
"reason": "no vulnerabilities detected",
"details": null,
"documentation": {
"short": "Determines if the project has open, known unfixed vulnerabilities.",
"url": "https://github.com/ossf/scorecard/blob/27cfe92ed356fdb5a398c919ad480817ea907808/docs/checks.md#vulnerabilities"
}
}
]
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I've also created an entry for the project in OpenSSF Best Practices based on changes made in this PR or in #1105.