Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Install OpenSSF Scorecard and consider adopting its recommendations #230

Closed
6 tasks done
joshlf opened this issue Aug 7, 2023 · 2 comments
Closed
6 tasks done

Install OpenSSF Scorecard and consider adopting its recommendations #230

joshlf opened this issue Aug 7, 2023 · 2 comments
Labels
compatibility-nonbreaking Changes that are (likely to be) non-breaking

Comments

@joshlf
Copy link
Member

joshlf commented Aug 7, 2023
edited
Loading

This derives from a request by Google's security team, which is reproduced here:

We ask that you please:

  1. install the OpenSSF Scorecard GitHub Action (instructions) in your repository.
  2. adopt its suggestions to improve your project's security posture.

A preliminary run of the OpenSSF Scorecard has identified the following improvements that can be made to the project, followed by their risk level and a summary of the remediation steps:

Current status: OpenSSF Scorecard

Steps:
@joshlf joshlf added the compatibility-nonbreaking Changes that are (likely to be) non-breaking label Aug 12, 2023
@joshlf joshlf mentioned this issue Aug 14, 2023
Merged
@joshlf
Copy link
Member Author

joshlf commented Aug 14, 2023

Applying some recommendations in #259.

joshlf added a commit that referenced this issue Aug 14, 2023
@joshlf
[CI] Only grant CI action "read" permission
488b36a 
Makes progress on #230
@joshlf joshlf mentioned this issue Aug 14, 2023
Merged
joshlf added a commit that referenced this issue Aug 14, 2023
@joshlf
[CI] Only grant CI action "read" permission (#261)
61eb152 
* [CI] Only grant CI action "read" permission

Makes progress on #230

* Update ci.yml
@joshlf joshlf mentioned this issue Aug 15, 2023
Merged
@joshlf
Copy link
Member Author

joshlf commented Aug 16, 2023

Currently at 7.8, which seems reasonably high. Closing this for now - feel free to reopen (or file new issues) if there are concerns.

@joshlf joshlf closed this as completed Aug 16, 2023
@joshlf joshlf mentioned this issue Aug 16, 2023
Closed
joshlf added a commit that referenced this issue Aug 19, 2023
@joshlf
[CI] Only grant CI action "read" permission (#261)
d7cfc64 
* [CI] Only grant CI action "read" permission

Makes progress on #230

* Update ci.yml
@joshlf joshlf mentioned this issue Aug 20, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
compatibility-nonbreaking Changes that are (likely to be) non-breaking
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joshlf