Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Increasing the OpenSSF Scorecard results #5659

Closed
4 of 6 tasks
UlisesGascon opened this issue Aug 22, 2023 · 2 comments
Closed
4 of 6 tasks

Increasing the OpenSSF Scorecard results #5659

UlisesGascon opened this issue Aug 22, 2023 · 2 comments

Comments

@UlisesGascon
Copy link
Member

UlisesGascon commented Aug 22, 2023
edited
Loading

Enter your suggestions in details:

The @nodejs/security team is running an initiative to improve the OpenSSF Scorecard results at organization level (nodejs/security-wg#859). In the last security team meeting we had discussed about the current scoring for the nodejs/nodejs.org repository. Seems like there is a decrease of -1.7 points since the last review (2 weeks ago)

Repository Commit Score Score Delta Report StepSecurity
nodejs/nodejs.org 1fbd908 6.4 -1.7 / Details View Fix it

In this recorded video you can see the analysis from the team (relevant from 05:08 to 14:53). Also the relevant notes from the meeting.

Here are the highlighted parts from the Delta Analysis:

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged

  • Reasoning: found 11 unreviewed changesets out of 23 -- score normalized to 5
  • Previous revision reasoning: found 5 unreviewed changesets out of 30 -- score normalized to 8
  • Documentation

Dangerous-Workflow

Determines if the project's github action workflows avoid dangerous patterns

Warn: untrusted code checkout '${{ github.event.pull_request.base.ref }}': .github/workflows/pull-request-target.yml:38
Warn: untrusted code checkout '${{ github.event.pull_request.base.ref }}': .github/workflows/pull-request-target.yml:82
Warn: untrusted code checkout '${{ github.event.pull_request.base.ref }}': .github/workflows/pull-request-target.yml:125

Next steps
This was referenced Aug 22, 2023
Merged
Merged
Merged
Closed
@ovflowd
Copy link
Member

ovflowd commented Aug 22, 2023

I kinda disagree with the reasoning imposed here. Yes, we are checking out code, but supposedly only the "base" refs for a given PR, which usually mean that the base branch of this repository is used.

Also I wonder if on forks it would checkout the base ref of the fork or our repository.

Anyhow, I need to understand the reasoning why checking out the base branch ref is unsafe, as it is actually the recommended approach by GitHub to stay safe.

@ovflowd
Copy link
Member

ovflowd commented Sep 5, 2023
edited
Loading

@UlisesGascon scores went up to 8.6 :)

So... closing as the scores went up 🎉

@ovflowd ovflowd closed this as completed Sep 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@UlisesGascon @ovflowd