-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Node.js Scorecard #929
Comments
Actually, there's already a PR for pinned actions nodejs/node#46820 |
Hey @RafaelGSS, I would love to deep into this. Just a couple of questions:
|
You can use the same as the one we use for this repo. |
I created this PR to increase the scorecard score by adding the missing dependencies: nodejs/node#47346 I'm sure that by merging this we can get very close to score 10 on the topic "Pinned-Dependencies". |
UPDATE from #945 Node.js score: 7.6 - 2023-04-08 |
UPDATE from #961
|
UPDATE from #981
|
As discussed in #1042, we can pin the node-core-utils in a package.json to run the command: https://github.com/nodejs/node/blob/main/tools/actions/start-ci.sh. See: https://kooltheba.github.io/openssf-scorecard-api-visualizer/#/projects/github.com/nodejs/node/compare/2ac5e9889aba461f5a54d320973d2574980d206b/b5e16adb1d155759e7db405eead5a43cd425785d (pinned dependencies) |
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made. |
I'm closing it since we've achieved our goal of improving the scorecard and now, we're monitoring the score on each meeting. |
Reference: https://github.com/nodejs/security-wg/blob/main/tools/ossf_scorecard/report.md
We need to:
Enable code-scanning in the Node.js repository by setting a scorecard.yml (tools: add scorecard ci node#47254)
Fix the warnings (feel free to update this list)
Pin npm dependencies in our actions (Improve Node.js Scorecard #929 (comment))
...
Note: we can use the StepSecurity for an automated PR.
The text was updated successfully, but these errors were encountered: