[bug] Improve Scorecard score

[melba-lopez]

Describe the bug
Improve repository's OpenSSF Scorecard score (currently at 7.1)

To Reproduce
docker run -e GITHUB_AUTH_TOKEN gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/slsa-framework/slsa-github-generator --format=json > scorecard_slsa-framework_slsa-github-generator.json

Expected behavior

• Branch Protections could be improved
• CII-Best-Practices Badge could be obtained
• Project should be Fuzzed
• Security Policy should be created
• Token Permissions should follow principle of least priveledge

Screenshots

Additional context
Attempted to upload the JSON file, but github does not allow me to. Related to recommendation of securing our repos: slsa-framework/slsa#424

[laurentsimon]

Thank you!

You know you can send us some PR and possibly get rewarded at sos.dev, right?

[melba-lopez]

I thought PRs were mostly meant for doc/code changes?? I know I am unable to make these changes myself since I don't have repo access. So not sure how that would work?

[laurentsimon]

The permission changes could be changes you propose via a PR. If you identify some critical projects and get them to accept your PR, you can use sos.dev to be rewarded

Some config settings like branch protection cannot be changed via PR, you are correct.

[jspeed-meyers]

Would adding permissions: read-all to the GitHub action YAML files be sufficient to address the "Token Permissions should follow principle of least privilege" bullet point?

That's what my reading of the Scorecards documentation on token permissions remediation suggests.

If that's a correct interpretation, I'm glad to help out with a PR that adds this line repeatedly.

[laurentsimon]

I thought we already set the permissions as read-only in all our workflows. If we don't for some, please feel free to send a PR

[jspeed-meyers]

Huh, scorecard says, as of 10/19/22 for this repo, 0/10 for Token-Permissions and that non read-only tokens detected. Let me do a little digging.