Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve OpenSSF score #712

Open
nitrocode opened this issue Sep 3, 2024 · 9 comments
Open

Improve OpenSSF score #712

nitrocode opened this issue Sep 3, 2024 · 9 comments
Labels
feature New feature or request good first issue Good for newcomers
Milestone
Features implemen...

Comments

@nitrocode
Copy link

nitrocode commented Sep 3, 2024
edited
Loading

What problem are you facing?

Adoption in a new organization

How could pre-commit-terraform help solve your problem?

Renovatebot includes an openssf score on every PR update for this repo. Due to low scores, this can irk developers and management.

Please consider improving the OpenSSF score of this repo. Current score is 6.7 which is not and could be better. The higher the score, the more objective integrity the community will have towards the project.

https://github.com/ossf/scorecard

https://securityscorecards.dev/viewer/?uri=github.com/antonbabenko/pre-commit-terraform

image

Some small improvements

  • Add OpenSSF Best Practices Badge
  • Use hadolint and shellcheck to pin dependencies
  • Token Permissions in .github/workflows/* would improve it a lot
  • etc

Some big improvements

  • Create official releases and sign them
  • etc
@nitrocode nitrocode added the feature New feature or request label Sep 3, 2024
@MaxymVlasov

This comment was marked as resolved.

Sign in to view
@MaxymVlasov
Copy link
Collaborator

We definitely want 9+/10, but firstly I need to understand how to enable such scores for Renovate, as I never disable it in https://github.com/SpotOnInc/renovate-config/blob/main/default.template.json5

@nitrocode
Copy link
Author

Hi @MaxymVlasov, this is how I have enabled the scores in some orgs for renovate PRs

https://docs.renovatebot.com/presets-security/#securityopenssf-scorecard

@nitrocode
Copy link
Author

nitrocode commented Sep 4, 2024
edited
Loading

Also the results may be better by adopting the GitHub action. This should get the branch protections

https://github.com/ossf/scorecard-action

@MaxymVlasov MaxymVlasov added the good first issue Good for newcomers label Sep 4, 2024
@MaxymVlasov
Copy link
Collaborator

This can be partially mitigated by https://app.stepsecurity.io/securerepo, as it can provision part of stuff automatically

This was referenced Jan 23, 2025
Merged
Merged
@nitrocode
Copy link
Author

StepSecurity is very nice at quickly improving some areas that OpenSSF scorecard detects, so once the StepSecurity PR is merged, the OpenSSF score should also increase.

I think it would still be valuable to integrate the OpenSSF scorecard banner to showcase the score and add the action to help improve the score.

Since opening this, we have seen the score improve from 6.7 to 7.0 😄

@nitrocode
Copy link
Author

Oh Thanks Maxym, I just noticed your PRs #777 and #780.

@yermulnik
Copy link
Collaborator

Since opening this, we have seen the score improve from 6.7 to 7.0 😄

Should we try and close/re-open this more times to get score improved even further? 🤣

@MaxymVlasov
Copy link
Collaborator

Lol, nah. I'll add a badge to README, that will report status every day and on each commit to master, to simplify tracking of it

This was referenced Jan 24, 2025
Merged
Draft
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
Features implementing and cleanup wit...
Development

No branches or pull requests
3 participants
@yermulnik @nitrocode @MaxymVlasov