Improve Node.js Scorecard #929
Comments
|
Actually, there's already a PR for pinned actions nodejs/node#46820 |
|
Hey @RafaelGSS, I would love to deep into this. Just a couple of questions:
|
You can use the same as the one we use for this repo. |
|
I created this PR to increase the scorecard score by adding the missing dependencies: nodejs/node#47346 I'm sure that by merging this we can get very close to score 10 on the topic "Pinned-Dependencies". |
|
UPDATE from #945 Node.js score: 7.6 - 2023-04-08 |
|
UPDATE from #961
|
|
UPDATE from #981
|
|
As discussed in #1042, we can pin the node-core-utils in a package.json to run the command: https://github.com/nodejs/node/blob/main/tools/actions/start-ci.sh. See: https://kooltheba.github.io/openssf-scorecard-api-visualizer/#/projects/github.com/nodejs/node/compare/2ac5e9889aba461f5a54d320973d2574980d206b/b5e16adb1d155759e7db405eead5a43cd425785d (pinned dependencies) |
|
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made. |
|
I'm closing it since we've achieved our goal of improving the scorecard and now, we're monitoring the score on each meeting. |
Reference: https://github.com/nodejs/security-wg/blob/main/tools/ossf_scorecard/report.md
We need to:
Enable code-scanning in the Node.js repository by setting a scorecard.yml (tools: add scorecard ci node#47254)
Fix the warnings (feel free to update this list)
Pin npm dependencies in our actions (Improve Node.js Scorecard #929 (comment))
...
Note: we can use the StepSecurity for an automated PR.
The text was updated successfully, but these errors were encountered: