Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the OpenSSF Scorecard GitHub Action #191328

Open
pnacht opened this issue Sep 15, 2022 · 2 comments
Open

Add the OpenSSF Scorecard GitHub Action #191328

pnacht opened this issue Sep 15, 2022 · 2 comments
Assignees
@zowoq
Labels
0.kind: enhancement Add something new 6.topic: developer experience 9.needs: community feedback

Comments

@pnacht
Copy link

pnacht commented Sep 15, 2022

Hello, I'm working on behalf of Google and the OpenSSF to improve the supply-chain security of essential open-source projects. The OpenSSF is a non-profit foundation dedicated to improving the security of the open-source community. It counts GitHub as a founding member.

The Scorecard system combines dozens of automated checks to let maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, with direct support from GitHub.

Given nixpkgs' importance to the NixOS ecosystem, it's been included in the OpenSSF's list of the 100 most critical open-source projects. Looking through the PR's, I've seen various mentions to Scorecards in the past (#140301, #180065, #180751). These have all aimed at improving one aspect of nixpkgs' supply-chain security by adopting one of Scorecards' many suggestions.

However, the OpenSSF has also developed the Scorecard GitHub Action, which adds the results of its checks to the project's security dashboard, as well as suggestions on how to solve any issues (see examples below). This Action has been adopted by 1600+ projects already, but hardening nixpkgs means hardening the entire NixOS ecosystem.

Would you be interested in a PR which adds this workflow? Optionally, the workflow can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.

Code scanning dashboard with multiple alerts, including Code-Review and Token-Permissions

Detail of a Token-Permissions alert, indicating the specific file and remediation steps
@zowoq zowoq self-assigned this Sep 15, 2022
@zowoq
Copy link
Contributor

zowoq commented Sep 15, 2022

Would you be interested in a PR which adds this workflow?

Not at this time, would need to investigate the action first. Some of the suggestions for permissions submitted in the previous PRs have been incorrect.

I'll leave this issue open for now as a TODO but if we're going to add this action probably easier if I do it myself.

@pnacht
Copy link
Author

pnacht commented Sep 15, 2022

Understood. If you want to study the different checks performed by the Action, just see here.

If after taking a look, you decide Scorecard adds value to nixpkgs, it's trivial to implement via the Actions tab (link).

And if you also wish to add the Scorecard badge to your README, just follow the instructions at the Action's repo.

And I'm sure the Scorecard team would be thrilled to get any feedback you might have, either as an issue or right here and I'll make sure to pass it on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zowoq zowoq

Labels
0.kind: enhancement Add something new 6.topic: developer experience 9.needs: community feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pnacht @zowoq @tomodachi94