Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve Scorecard score for in-toto-golang #283

Open
19 tasks
viveksahu26 opened this issue Nov 22, 2023 · 1 comment
Open
19 tasks

Improve Scorecard score for in-toto-golang #283

viveksahu26 opened this issue Nov 22, 2023 · 1 comment
Labels
enhancement New feature or request

Comments

@viveksahu26
Copy link
Contributor

viveksahu26 commented Nov 22, 2023

Description of the feature request:

To improve the OpenSSF scorecard for in-toto-golang.
The current score is 5.4/10 as on 2023-11-13
This score is static, so to continuously updating the score requires a workflow.

Solution description
We need to work on each area to analyze where the score has dropped and how we can improve upon it! The following steps are:

  • CI Test
  • CII Best Practices
  • Contributors
  • License
  • Code Review
  • Fuzzing test
  • Packaging
  • Pinned Dependencies
  • SAST
  • Security Policy
  • Binary Artifact
  • Branch protection
  • Dependency Update Tool
  • Maintained
  • Signed Release
  • Token Permission
  • Vulnerabilities
  • Dangerous Workflow
  • Webhooks

Scorecard Result Detail
Current Score: 5.4/10

SCORE NAME REASON DETAILS DOCS
10 Maintained 30 commit(s) out of 30 and 2 issue activity out of 30 found in the last 90 days -- score normalized to 10 null https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#maintained"
10 Code-Review all changesets reviewed null https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#code-review
0 CII-Best-Practices no effort to earn an OpenSSF best practices badge detected null https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#cii-best-practices
9 License license file detected. Warn: project license file does not contain an FSF or OSI license.","Info: License file found in expected location: LICENSE:1 https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#license
-1 Signed-Releases no releases found "Warn: no GitHub releases found" https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#signed-releases
0 Branch-Protection branch protection not enabled on development/release branches. "Warn: branch protection not enabled for branch 'master' https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#branch-protection
-1 Packaging packaging workflow not detected. "Warn: no GitHub/GitLab publishing workflow detected. https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#packaging
0 Token-Permissions detected GitHub workflow tokens with excessive permissions. Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/lint.yml:1","Warn: no topLevel permission defined: .github/workflows/verify-docgen-fmt.yml:1","Info: no jobLevel write permissions found" https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#token-permissions
10 Dangerous-Workflow no dangerous workflow patterns detected null https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#dangerous-workflow
9 Binary-Artifacts binaries present in source code Warn: binary detected: test/data/helloworld:1 https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#binary-artifacts
0 Fuzzing project is not fuzzed Warn: no OSSFuzz integration found, Warn: no GoBuiltInFuzzer integration found https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#fuzzing
3 Pinned-Dependencies dependency not pinned by hash detected Warn: containerImage not pinned by hash: Dockerfile:3","Warn: containerImage not pinned by hash: Dockerfile:12","Warn: containerImage not pinned by hash: Dockerfile:16: pin your Docker image by updating gcr.io/distroless/base to gcr.io/distroless/base@sha256:b31a6e02605827e77b7ebb82a0ac9669ec51091edd62c2c076175e05556f4ab9","Warn: goCommand not pinned by hash: .github/workflows/build.yml:27","Info: 7 out of 7 GitHub-owned GitHubAction dependencies pinned","Info: 1 out of 1 third-party GitHubAction dependencies pinned","Info: 0 out of 3 containerImage dependencies pinned","Info: 0 out of 1 goCommand dependencies pinned" https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#pinned-dependencies
0 Security-Policy security policy file not detected Warn: no security policy file detected" https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#security-policy
10 Vulnerabilities 0 existing vulnerabilities detected null https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#vulnerabilities
0 SAST SAST tool is not run on all commits Warn: CodeQL tool not installed","Warn: 0 commits out of 30 are checked with a SAST tool https://github.com/ossf/scorecard/blob/a4ee3147a6f50bb65967343a79f7d4ce6a8e3702/docs/checks.md#sast

\en

@viveksahu26 viveksahu26 added the enhancement New feature or request label Nov 22, 2023
@viveksahu26
Copy link
Contributor Author

To see the full details of current score: https://api.securityscorecards.dev/projects/github.com/in-toto/in-toto-golang

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant