Install OpenSSF Scorecard and consider adopting its recommendations #230
Description
This derives from a request by Google's security team, which is reproduced here:
We ask that you please:
- install the OpenSSF Scorecard GitHub Action (instructions) in your repository.
- adopt its suggestions to improve your project's security posture.
A preliminary run of the OpenSSF Scorecard has identified the following improvements that can be made to the project, followed by their risk level and a summary of the remediation steps:
- Token-Permissions (High): declare GitHub workflow permissions top level as read only, and grant any write permission on job level. The changes can be seen at https://app.stepsecurity.io/secureworkflow/google/zerocopy/ci.yml/main?enable=permissions.
- Branch-Protection (High): configure the recommended branch protection settings.
- Dependency-Update-Tool (High): if applicable, use tools to help update the project's dependencies (package github-actions for example).
- Code-Review (High): ensure to review code before merging it (Branch-Protection can help to ensure that).
- Pinned-Dependencies (Medium): declare and hash pin all dependencies. The changes can be seen at https://app.stepsecurity.io/secureworkflow/google/zerocopy/ci.yml/main?enable=pin.
- SAST (Medium): use static code analysis tools, e.g. CodeQL, SonarCloud.
- CII-Best-Practices (Low): add an OpenSSF (formerly CII) Best Practices Badge.
- Fuzzing (Medium): use fuzzing tools, e.g. OSS-Fuzz.
Current status:
Steps:
-
Integrate scorecard(Create .github/workflows/scorecard.yml #167) -
Grant scorecard more permissions to improve the fidelity of its analysis([CI] Grant Scorecard more permissions #258) - Apply Scorecard recommendations:
-
Use dependabot to keep dependencies up-to-date(Use Dependabot GitHub Action #240) -
Pin to specific dependency version hashes in CIandscan PRs for vulnerable dependencies([CI] Apply StepSecurity recommendations #259) -
Restrict token permisions([CI] Only grant CI action "read" permission #261)
-