Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OSSF Scorecard GitHub Action to OSPO GitHub Actions #84

Closed
6 of 12 tasks
jmeridth opened this issue Apr 10, 2024 · 4 comments
Closed
6 of 12 tasks

Add OSSF Scorecard GitHub Action to OSPO GitHub Actions #84

jmeridth opened this issue Apr 10, 2024 · 4 comments
Assignees
Labels
enhancement New feature or request

Comments

@jmeridth
Copy link
Member

jmeridth commented Apr 10, 2024

Is your feature request related to a problem?

No visibilty of supply chain security in our GitHub Actions

Related OSPO Tool

automatic-contrib-prs GitHub Action, cleanowners GitHub Action, contributors GitHub Action, evergreen GitHub Action, issues-metrics GitHub Action, stale-repos GitHub Action

Describe the solution you'd like

Summary

Add the OSSF Scorecard GitHub Action so we can have automated supply chain security detection. Allows us to add badge to README to show users we are using open source security tooling.

Corresponding Work

Add Tasks that ladder up to this batch

Dependencies

OSSF Scorecard GitHub Action

Supporting Documentation

OSSF Scorecard GitHub Action

Describe alternatives you've considered

No response

Additional context

No response

@jmeridth jmeridth added the enhancement New feature or request label Apr 10, 2024
@jmeridth
Copy link
Member Author

Outstanding question from @zkoppert:

what system or process will we want to put in place to regularly review those scorecards and open issues for action items. Monthly review? Something else?

🤔

@jmeridth jmeridth self-assigned this Apr 10, 2024
@zkoppert
Copy link
Member

It would be cool if we could automatically open an issue when the scorecard goes below some threshold.

@jmeridth
Copy link
Member Author

jmeridth commented May 6, 2024

One of our biggest issues is pip dependencies not hashed. A good solution to this is moving to pipenv aka Pipfile and Pipfile.lock. The lock file will automatically contain all hashes for a dependency (similary to package-lock.json or Gemfile). I like this better than managing the hashes ourselves in the requirements.txt files.

I'm testing this move in github/stale-repos#132

I've found two issues though:

  • In order to install pip and pipenv in a few files and actions, you have to have the hashes in a requirements.txt file. You can't do pip install with hashes directly on the CLI. 🤦
  • it seems dependabot only supports pipenv <= 2021-05-29. Latest version is 2023.12.1. That is currently 88 versions/releases ahead of the supported version. 🤔

jmeridth added a commit to github/cleanowners that referenced this issue May 7, 2024
Relates to github/github-ospo#84
Relates to github/github-ospo#95

- [x] setup OSSF scorecard github action
- [x] setup OSSF scorecard readme badge
- [x] change current GitHub Actions to use SHAs instead of tags

Signed-off-by: jmeridth <[email protected]>
jmeridth added a commit to github/cleanowners that referenced this issue May 7, 2024
Relates to github/github-ospo#84
Relates to github/github-ospo#95

- [x] setup OSSF scorecard github action
- [x] setup OSSF scorecard readme badge
- [x] change current GitHub Actions to use SHAs instead of tags

Signed-off-by: jmeridth <[email protected]>
jmeridth added a commit to github/contributors that referenced this issue May 7, 2024
Relates to github/github-ospo#84
Relates to github/github-ospo#95

- [x] setup OSSF scorecard github action
- [x] setup OSSF scorecard readme badge
- [x] change current GitHub Actions to use SHAs instead of tags

Signed-off-by: jmeridth <[email protected]>
jmeridth added a commit to github/contributors that referenced this issue May 7, 2024
Relates to github/github-ospo#84
Relates to github/github-ospo#95

- [x] setup OSSF scorecard github action
- [x] setup OSSF scorecard readme badge
- [x] change current GitHub Actions to use SHAs instead of tags

Signed-off-by: jmeridth <[email protected]>
jmeridth added a commit to github/automatic-contrib-prs that referenced this issue May 7, 2024
Relates to github/github-ospo#84
Relates to github/github-ospo#95

- [x] setup OSSF scorecard github action
- [x] setup OSSF scorecard readme badge
- [x] change current GitHub Actions to use SHAs instead of tags

Signed-off-by: jmeridth <[email protected]>
jmeridth added a commit to github/evergreen that referenced this issue May 7, 2024
Relates to github/github-ospo#84
Relates to github/github-ospo#95

- [x] setup OSSF scorecard github action
- [x] setup OSSF scorecard readme badge
- [x] change current GitHub Actions to use SHAs instead of tags

Signed-off-by: jmeridth <[email protected]>
jmeridth added a commit to github/issue-metrics that referenced this issue May 7, 2024
Relates to github/github-ospo#84
Relates to github/github-ospo#95

- [x] setup OSSF scorecard github action
- [x] setup OSSF scorecard readme badge
- [x] change current GitHub Actions to use SHAs instead of tags

Signed-off-by: jmeridth <[email protected]>
jmeridth added a commit to github/issue-metrics that referenced this issue May 7, 2024
Relates to github/github-ospo#84
Relates to github/github-ospo#95

- [x] setup OSSF scorecard github action
- [x] setup OSSF scorecard readme badge
- [x] change current GitHub Actions to use SHAs instead of tags

Signed-off-by: jmeridth <[email protected]>
@jmeridth
Copy link
Member Author

jmeridth commented May 7, 2024

This is complete. We will iterate through the remediations.

@jmeridth jmeridth closed this as completed May 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants