Improve SecurityWG Scorecard

[RafaelGSS]

Following https://github.com/nodejs/security-wg/blob/main/tools/ossf_scorecard/report.md + Code Scanning, we have a few security concerns to mitigate in this repository and then improve our score. Let's use this issue to keep track of the progress:

• Token-Permissions
  • .github/workflows/ossf-scorecard-reporting.yml:11

  • score is 0: topLevel 'contents' permission set to 'write'
    Remediation tip: update your workflow using https://app.stepsecurity.io
    Click Remediation section below for further remediation help

  • .github/workflows/validate-vulnerability.yml:1

  • score is 0: no topLevel permission defined
    Remediation tip: update your workflow using https://app.stepsecurity.io
    Click Remediation section below for further remediation hel

• Pinned-Dependencies
  • All .yml files.
• SAST Tool
• Fuzzing
• Code-Review

[UlisesGascon]

I am happy to help with some PRs for the tokens and pinned dependencies. Regarding SAST Tool I can enable CodeQL from the github settings in few minutes.

Regarding fuzzing maybe @fraxken can lead it :)

[shubham-y]

I would like to work on this issue

[RafaelGSS]

@shubham-y feel free to pick one item from the list and make the PR.

[varunsh-coder]

Hi All, I am the founder of StepSecurity. We are developing a few tools like app.stepsecurity.io to simplify developers' work and increase the OpenSSF Scorecard score using automation. Please let me know if I can help in any way.

I am curious if this issue is only for this repo or to increase the score across nodejs repos?

[RafaelGSS]

Currently, only this repo. The plan is to perform this for all the repos in the org.

[fraxken]

If we fix remaining issues with token permissions the score will up to ~9.2

For fuzzing I don't think that applicable here.

We can also improve the score by completing the CII-Best-Practices program (but again not sure if that useful for this repository?).

[UlisesGascon]

We can explore how CII-Best-Practices works in this repo and then try to replicate it for Node and Undici.

I completed the CII-Best-Practices for one of the projects that I maintain and it is quite long process but super interesting as leads to more opportunities to discuss and improve outside the automatic scoring.

[RafaelGSS]

CII-Best-Practices seems interesting.

[RafaelGSS]

UPDATE From #961

Repository	Commit	Score	Date	Difference	Report Link	StepSecurity Link
nodejs/security-wg	436ca24	8.2	2023-04-24T22:24:57Z	0.1	Full Report	Fix it

[UlisesGascon]

UPDATE from #981

Repository	Commit	Score	Date	Difference	Report Link	StepSecurity Link
nodejs/security-wg	b3757f5	8.2	2023-05-09T11:18:48Z	0	Full Report	Fix it

[github-actions]

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

[github-actions]

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

[RafaelGSS]

I'm closing it since we've achieved our goal of improving the scorecard and now, we're monitoring the score on each meeting.