Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Example for Demo: OpenSSF Scorecard PR Comments #155

Closed
wants to merge 1 commit into from
Closed

Example for Demo: OpenSSF Scorecard PR Comments #155

wants to merge 1 commit into from

Conversation

kehoecj
Copy link
Collaborator

@kehoecj kehoecj commented Jun 27, 2024

Example PR including bad security practices for a demo to the Boeing Open Source Program Office

github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 27, 2024
View reviewed changes
Dockerfile

FROM golang:1.22@sha256:f43c6f049f04cbbaeb28f0aad3eea15274a7d0a7899a617d0037aec48d7ab010 as go-builder
FROM golang:1.22 as go-builder

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 8: containerImage not pinned by hash
Click Remediation section below to solve this issue
.github/workflows/go.yml
@@ -12,7 +12,7 @@
pull_request:

permissions:
contents: read
contents: write

Check failure

Code scanning / Scorecard

Token-Permissions High

score is 0: topLevel 'contents' permission set to 'write'
Remediation tip: Visit https://app.stepsecurity.io/secureworkflow.
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.
Click Remediation section below for further remediation help
.github/workflows/goreportcard.yaml
@@ -7,7 +7,7 @@
pull_request:

permissions: # added using https://github.com/step-security/secure-repo
contents: read
contents: write

Check failure

Code scanning / Scorecard

Token-Permissions High

score is 0: topLevel 'contents' permission set to 'write'
Remediation tip: Visit https://app.stepsecurity.io/secureworkflow.
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.
Click Remediation section below for further remediation help
@ccoVeille ccoVeille mentioned this pull request Jun 27, 2024
Open
@kehoecj kehoecj closed this Jun 28, 2024
@ccoVeille
Copy link
Contributor

This was a test. Is there. Any PR related to the OSS scorecard activation in the repository?

@kehoecj kehoecj deleted the openssf_example branch July 1, 2024 14:25
@kehoecj
Copy link
Collaborator Author

kehoecj commented Jul 1, 2024

This was a test. Is there. Any PR related to the OSS scorecard activation in the repository?

#151

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kehoecj @ccoVeille