Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BREAKING NEWS: The scorecard Monitor is part of the OSSF 🥳 #79

Open
UlisesGascon opened this issue Jun 10, 2024 · 4 comments
Open

BREAKING NEWS: The scorecard Monitor is part of the OSSF 🥳 #79

UlisesGascon opened this issue Jun 10, 2024 · 4 comments

Comments

@UlisesGascon
Copy link
Member

UlisesGascon commented Jun 10, 2024

TL;DR:

I am very glad to announce that this repository is now part of the OSSF Organization, so the Scorecard Visualizer is now an official tool in the OSSF Scorecard ecosystem. 🎊 🎊

Important Details

As part of the migration process, the repository has been transferred to the OSSF (from UlisesGascon/openssf-scorecard-monitor to ossf/scorecard-monitor). The redirection should be working, so no additional steps are required from your part. Starting from version v2.0.0-beta8, we will use the new URLs (soon to be released).

Let's celebrate this moment together 🤗

This journey started a long time ago, even before the first commit on Feb 2023 when we started to adopt the OSSF Scorecard in the Node.js Organization (nodejs/security-wg#851) in Dec'22, thanks to the GOSST Team (@gabibguti, @joycebrum, @pnacht, @diogoteles08 and others) that helped us understand in detail what this project is about and how it can help our organization be more secure (full video).

As soon as I understood how important this was for the Open Source Community, I tried to spread this idea into the ecosystem, so I started to blog about it and discuss it with the community on social media.

The real challenge came when we needed to adopt it at the scale of Node.js, in the Node.js' security WG (nodejs/security-wg#851 (comment)). We realized that we needed a tool to help us monitor the scoring over time. In the following weeks, we started to iterate over this idea until we had the most basic features of the Monitor, especially thanks to Security WG (@mhdawson, @RafaelGSS, @marco-ippolito, @fraxken and others) for all the patience, feedback, ideas, and contributions to consolidate this tool and make it extensible to the community.

Once we had a clear idea on how to track the scores in our repositories, we realized that it was very hard for us to spot the evolution in terms of scoring differences. So, @KoolTheba joined the efforts by creating the Scorecard Visualizer that allowed us to showcase the scorecard details per project using commit hashes and to compare between two different commits. This was a game-changer for us as it allowed us to quickly spot the differences and act on them on a bi-weekly basis, especially when the diff details were added.

Our next big problem was how to reduce the Time To Remediation (TTR). One day, the Step Security team did an eye-opening demo for the Node.js Security WG (#37). Thanks, @varunsh-coder and @boahc077, for showing us the right way. Since then, there is a fix it link in the report to quickly apply many scorecard recommendations in any GitHub project.

I want to especially thank all the collaborators (@KoolTheba, @justaugustus, @lelia, @rajbos and others...) who helped us on this amazing journey, as well as all the users (@inigomarquinez, carpasse and others) and orgs that were early adopters and provided invaluable feedback and perspectives to the project!

Finally, thanks to the OpenJS Security Collab (@ruddermann, @ctcpip, @ljharb, @mrutkows, @shusak, @joesepi, @rginn, @bensternthal and others) for the endless discussions and invaluable knowledge shared in every session. Also, to the OSSF team for building these amazing tools and sharing them with me in advance (@laurentsimon, @naveensrinivasan and others...), and to the OSSF for helping us in all the donation journey and making all the changes required for us to join (@justaugustus, @afmarcum, @bbpursell1 and others).


📢 You can follow this discussion on Twitter, Linkedin and Mastodoon

@UlisesGascon UlisesGascon changed the title BREAKING NEWS: The scorecard Monitor is part of the OSSF Organization! 🥳 BREAKING NEWS: The scorecard Monitor is part of the OSSF 🥳 Jun 10, 2024
@UlisesGascon UlisesGascon pinned this issue Jun 10, 2024
@inigomarquinez
Copy link

Congratulations @UlisesGascon !

Happy to see that these tools that I've been using for a while keep improving and gradually becoming official in the Open Source world. 🚀

@lelia
Copy link
Contributor

lelia commented Jun 20, 2024

Great news, @UlisesGascon! 🎉

I wanted to clarify one thing about the status of v2.0.0-beta8 as I noticed this tag is now referenced in the README.md and package.json but I don't see a corresponding release for beta8 yet.

Is the tagging of this release intentionally delayed as part of the transition to ossf? Thanks!

@bbpursell1
Copy link

There was a hold-up on legal review of the Marketplace Developer policy. This is now approved, and @UlisesGascon should be able to publish it when he is ready.

@justaugustus
Copy link
Member

There are a few things I want to review copy-wise before we republish. @UlisesGascon, let's have a quick sync in the next week before a new rev.

UlisesGascon added a commit to UlisesGascon/.github-1 that referenced this issue Jun 27, 2024
UlisesGascon added a commit to onebeyond/maintainers that referenced this issue Jun 27, 2024
UlisesGascon added a commit to expressjs/security-wg that referenced this issue Jun 27, 2024
UlisesGascon added a commit to nodejs/security-wg that referenced this issue Jun 27, 2024
UlisesGascon added a commit to UlisesGascon/.github-2 that referenced this issue Jun 27, 2024
RafaelGSS pushed a commit to nodejs/security-wg that referenced this issue Jun 27, 2024
UlisesGascon added a commit to expressjs/security-wg that referenced this issue Jun 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants