Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggest Adoption of Scorecard GitHub Action #393

Closed
diogoteles08 opened this issue Jul 7, 2023 · 7 comments · Fixed by #394
Closed

Suggest Adoption of Scorecard GitHub Action #393

diogoteles08 opened this issue Jul 7, 2023 · 7 comments · Fixed by #394

Comments

@diogoteles08
Copy link
Contributor

Hey, I'm Diogo and I've raised the issues #366 and #383 contributing with some security enhancements. I'll happily continue contributing with such improvements (it's literally my job, see my profile), but this time I come to suggest the tool that I used myself to find those security issues.

I'd like to suggest that the project add the OpenSSF Scorecard Action. The OpenSSF Scorecard uses GitHub's public API to gather public informations about your project and runs a sort of "meta-analysis" of the project's security posture. The Action then populates the project's Security Panel with possible improvements to its security posture. It's specially helpful to ensure you won't regress on the security measures you have already adopted 😄.

Additionally, the tool integrates with the OSV Scanner, which evaluates a project's transitive dependencies looking for known vulnerabilities.

When working on the Security enhancements pointed by Scorecard, you're also able to apply for the OpenSSF's Secure Open Source Rewards program, which financially rewards developers for improving the security of important open source projects

This tool is developed by the OpenSSF in partnership with GitHub and it's already been adopted by 1800+ projects, including TensorflowPyTorchAngular, and Flutter.

If you're interested, let me know and I'll send a PR!
@mm2
Copy link
Owner

mm2 commented Jul 10, 2023
edited
Loading

Hi Diogo, thanks for your contribution.

Just a couple of quick questions:

  • Does this OSV Scanner need any modification on sources or additional files other than in the .github directory?
  • Am I assumed to annotate the code to hint the compiler than those integer overflows are correct and are there because a reason? (is just an example)
  • Would the use of this tool represent to receive many mails about so called "vulnerabilities" that at the end were in test code? (I was hit badly by fuzzers)

Otherwise I sent a mail to sos.dev about my open source project but never got any answer. Is any way to contact those guys?

Thanks
Marti

@diogoteles08
Copy link
Contributor Author

Hi Marti,

  • Does this OSV Scanner need any modification on sources or additional files other than in the .github directory?
  • Am I assumed to annotate the code to hint the compiler than those integer overflows are correct and are there because a reason? (is just an example)
  • Would the use of this tool represent to receive many mails about so called "vulnerabilities" that at the end were in test code? (I was hit badly by fuzzers)

  1. No. The OSV Scanner will work as part of the Scorecard Action, analysing your repo through public GitHub APIs and showing the results at your Security Panel.

  2. No, Scorecards won't require any kind of annotation -- although there is an issue with this idea. After using Scorecard Action, you'll be able to dismiss any false-positives directly on the Security Panel. Then they would not bother you anymore.

  3. Don't worry, the action wouldn't send you any emails haha All the notifications are intended to be shown directly on GitHub

Otherwise I sent a mail to sos.dev about my open source project but never got any answer. Is any way to contact those guys?

I'm Sorry for that, Marti. I have some contact with the SOS team and have already contacted them. I'll get back to you as soon as I have any information.

@mm2
Copy link
Owner

mm2 commented Jul 14, 2023
edited
Loading

Hello Diogo,

That's great. Sounds incredible powerful and non-intrusive. If you can manage to outline a quick PR I will gladly integrate this functionality. Don't get me wrong, I take security very seriously and any good measure to improve this is very welcome. What I want to avoid is to change code or add spurious files just to find the whole system is deprecated few years after. That already happened with Travis CI, so I'm just being a little bit more careful right now.
Thank you so much for contacting google about the SOS team. If they are responsive, is quite probably I would hire somebody to add a decent fuzzing or just to increase overall security.

@diogoteles08
Copy link
Contributor Author

That's great. Sounds incredible powerful and non-intrusive. If you can manage to outline a quick PR I will gladly integrate this functionality.

Awesome, I'll raise the PR shortly.

Don't get me wrong, I take security very seriously and any good measure to improve this is very welcome. What I want to avoid is to change code or add spurious files just to find the whole system is deprecated few years after. That already happened with Travis CI, so I'm just being a little bit more careful right now.

Absolutely, Marti! Your points are totally valid and I really appreciate your patience and time to consider the tool and talk to me about your concerns. Even after adopting the tool, please feel free to reach me for any questions or feedback and I'll be more than happy to help =)

Thank you so much for contacting google about the SOS team. If they are responsive, is quite probably I would hire somebody to add a decent fuzzing or just to increase overall security.

For this I'm afraid I won't be able to help much, though. I've contacted the SOS team and they said they'll look into your email, but they also confessed that there is a long backlog of requests. So unfortunately might not be a short reply.

@diogoteles08 diogoteles08 mentioned this issue Jul 18, 2023
Merged
@mm2 mm2 closed this as completed in #394 Jul 18, 2023
@mm2
Copy link
Owner

mm2 commented Jul 31, 2023

Hello @diogoteles08
Sorry to bother you, but after activating the scorecard all commits fail. I traced the scorecard parsing is failing with following error:

2023/07/27 10:41:17 error processing signature: executing scorecard-api call: Post "https://api.securityscorecards.dev/projects/github.com/mm2/Little-CMS": context deadline exceeded

Is anything I can do aside disabling scorecard? Thanks!

@mm2 mm2 reopened this Jul 31, 2023
@mm2
Copy link
Owner

mm2 commented Jul 31, 2023

Oh, it was github's fault. Re-running the job solved the issue, sorry, just ignore the comment. Thanks!

@mm2 mm2 closed this as completed Jul 31, 2023
@diogoteles08
Copy link
Contributor Author

Hey @mm2! You're not bothering at all -- I'd be happy to get any feedback. Anyways, I'm also happy to know it worked out 😄

Also, I'm honestly not sure it has any relation with your issue, but you might want to take a look on the possibility of running Scorecard with an specific fine grained token. Although it shouldn't change much how it's already working, I forgot to mention in this issue that this PAT is required to completely evaluating checks such Branch-Protection and (experimental) Webhooks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Scorecard GitHub Action diogoteles08/Little-CMS
2 participants
@mm2 @diogoteles08