Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

chore: add support for OSSF scorecard reporting #9

Merged
merged 1 commit into from
Apr 8, 2024
Merged

chore: add support for OSSF scorecard reporting #9

merged 1 commit into from
Apr 8, 2024

Conversation

inigomarquinez
Copy link
Contributor

Main Changes

This pipeline will proactively report the status of the project (every day and when a push is done to master branch) including critical fields (CI-Tests, Contributors, Dependency-Update-Tool, Webhooks) that are missing while running via OSSF cron jobs.

Context

Changes related

It's also possible that some repositories in your organization are already being automatically tracked by OpenSSF in this CSV file via weekly cronjob. One caveat: Automatically tracked projects do not include ossf/scorecard#3438 in their analysis (CI-Tests,Contributors,Dependency-Update-Tool,Webhooks).
Source: openssf-scorecard-monitor documentation

Team discussion related

Copy link
Member

@blakeembrey blakeembrey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason we want to use the specific commit hashes instead of version numbers for every action?

# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little worried about this, the package shouldn't need to be kept "up to date" re https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained.

@blakeembrey
Copy link
Member

I found my answer here: https://github.com/ossf/scorecard/blob/d58bfb03aab496807d8489e09da9883928465f59/docs/checks.md#pinned-dependencies 😓

Seems like a GitHub Actions "lock file" would be a nice feature to simplify future updates.

@blakeembrey blakeembrey merged commit fcff138 into pillarjs:master Apr 8, 2024
@blakeembrey
Copy link
Member

A heads up, but I'm already seeing this:

CodeQL Action v2 will be deprecated on December 5th, 2024. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/

@inigomarquinez inigomarquinez deleted the feat/add-scorecard branch April 24, 2024 06:31
@inigomarquinez
Copy link
Contributor Author

Sorry I didn't see your messages before @blakeembrey. Thanks for reviewing!

@Queenshg87
Copy link

Need review i believe..

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants