-
Notifications
You must be signed in to change notification settings - Fork 505
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: better remediation steps #1850
Comments
Adding more details to the above options:
@zwass since you originally requested this, please share insights on what would work best for you/ ideas to improve these options. |
@varunsh-coder for (1), do you already have an API we could use now? (app.stepsecurity.io/secureworkflows?q=xxx)? |
Not yet. I will create a work item for it. It should be doable in a few days time. I will get back once it is implemented. |
Fyi, that's where we create the markdown https://github.com/ossf/scorecard/blob/main/pkg/sarif.go#L397. Feel free to try things it and see what looks best to embed the link. |
we could also add it in https://github.com/ossf/scorecard/blob/main/pkg/sarif.go#L436 which is closer to the code highlighted by GitHub in the dashboard |
Support for point 1 has been added. The format of the website is https://app.stepsecurity.io/secureworkflow/:owner/:repo/:workflowname/:branch Here are couple of examples: After the page loads with the fixed workflow, the user can uncheck options and click "secure workflow" button to change options. Let me know if there is feedback, I can change the inputs/ outputs as required. For points 2 and 3, I believe this support does not exist as of now, as per issue github/codeql-action#1043. We could still place fixed workflow in the SARIF output to see how it looks. |
Looks great. Since this is for token permissions and pinning, could we disable the hardened runner for this use case? Maybe via a a |
Yes, that should be easy to do. Will implement and get back. |
This is done. The format is https://app.stepsecurity.io/secureworkflow/:owner/:repo/:workflowname/:branch?enable=permissions,pin Here are couple of examples: For completeness, if someone wanted to all add If the workflow cannot be fetched, because path is wrong, or it is a private repo, an error message is shown. Let me know if there is other feedback. |
LGTM. How would you you like to proceed? Do you want to take a stab at the UI for the Action (#1850 (comment) and #1850 (comment)) or you'd like us to look into it? It would be great if we could have this for the next Action release, which is almost there ossf/scorecard-action#97 |
@laurentsimon would be great if you or another maintainer can integrate it. w.r.t the options, both look good. Having it display closer to the code #1850 (comment)) will show the developer that there is an easy way to solve it, which should increase fix rate. |
OK, tracked in ossf/scorecard-action#97 |
One of the users got redirected to app.stepsecurity.io, but it was a no-op for them. Here is the link they got: What is the expectation in this case? As part of the fix, should app.stepsecurity.io re-organize the permissions and move the |
I think that would be great, yes. |
I wanted to share some updates on automated remediations. https://github.com/step-security/secure-workflows now
Both these fixes increase the Scorecard score. Each option is optional, and the UI shows which improves the Scorecard score. Instead of fixing one file at a time, there is an option to scan all files in the repo for remediations and apply them together using a PR. PR is created using a fork, and no App installation is needed. Shortly, the following remediations will be added:
Please let me know if there is any feedback or questions. Thanks! |
This issue is stale because it has been open for 60 days with no activity. |
This issue is stale because it has been open for 60 days with no activity. |
It's pretty hard for a user to remediate some of the results:
We should try to do better. Some thoughts:
Starting with option (1) may be the easiest to start with.
/cc @varunsh-coder
The text was updated successfully, but these errors were encountered: