OpenSSF Scorecard Report updated! #18
Comments
|
This is the kind of of thing I meant with the discussion on the collab space yesterday. These scores seem super low and I am not sure what specifically we would even do to try and address these things. Most of it doesn't feel relevant or actionable from a security perspective right? Also, what does |
|
There are definitely actionable items. Some things may be relevant, others not so much. And I think there are some issues with the configuration to begin with and that's not helping things. If the signal/noise ratio is not good to begin with, then the utility is limited. We can discuss at the next meeting if there's time. |
|
I am not sure there will be time with the working session, but I wonder if after that we should consider doing an ad-hoc security wg meeting to discuss some of this stuff? |
|
Also some more info on the StepSecurity aspect: https://github.com/step-security/secure-repo edit: FTR I have zero experience with this tool or the organization and I have no opinions as such |
|
We wanted to check scoring with the changes that we have been making in the last weeks (see here for more context). We plan to close this issue and the PR as it was just a quick test.
Actually, pretty much aside from
We are following a similar model as Node.js did in the past when adopting OSSF Scorecard (for context, see: nodejs/security-wg#851). Node.js started with very low scores too (see here), and currently, the scores are fine (see here). We keep updating and examining the scoring changes in the Security WG meetings as part of the agenda.
As this automation is utilizing the GitHub Action OpenSSF Scorecard Monitor, the table will include a link to Step-Security to generate PRs to fix typical issues (most of what we address in separate PRs). We decided to follow the process of doing individual PRs in this case when starting the initiative with @inigomarquinez and @carpasse. In Node.js, we learned that scorecard-related PRs are a great way to engage with new collaborators since the scope and review are straightforward. That's why we're not using the Step-Security auto-suggestion at this point. By the way, I am planning to engage with the triage team on these PRs as well. 👍
Fair point, this automation is using a GA that I created and maintain and it is used currently by Node.js, NodeSecure, CISCO Ospo and few others.
100% I am more than happy to have a discussion and explain in detail the scorecard from scratch and all the related work, and how it's helping us in the long term. Let's also ensure that @inigomarquinez and @carpasse can join as they are currently handling most of the implementation. Also, @ruddermann might be interested in joining as well. 👍 |
|
This is great @UlisesGascon! I totally understand concerns about how opinionated Scorecard and the Best Practices Badge can be, but these can certainly be prioritized. I think it's important to recognize that no scoring system is perfect. Should fuzzing be an expectation in Scorecard? I don't think so, but if there are concerns about not getting the top score, it's certainly possible to document in the context of the score why building out fuzzing isn't a priority. Question about expressjs/express#5433: has a baseline scan been done yet that we can take a look at and see what the volume and signal to noise looks like from the results? |
|
Count on me for the session @UlisesGascon ! As for the scorecard itself, as far as I know it can be customized to skip those metrics that may not be relevant for the organization or specific repositories. |
|
Count me too for the session @UlisesGascon please. |
Hello!
There are changes in your OpenSSF Scorecard report.
Please review the following changes and take action if necessary.
Summary
There are changes in the following repositories:
Report generated by UlisesGascon/openssf-scorecard-monitor.
The text was updated successfully, but these errors were encountered: