This repository was archived by the owner on Nov 4, 2022. It is now read-only.
This repository was archived by the owner on Nov 4, 2022. It is now read-only.
Improve Scorecard score #32
Description
Describe the bug
I know this is a demo repository, but if we are expecting people to install on their own systems, we should try to follow security best practices as well. If the demo is no longer valid, we could either repurpose for future demos or deprecate the repo.
Improve repository's OpenSSF Scorecard score (currently at 4.2)
To Reproduce
docker run -e GITHUB_AUTH_TOKEN gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/slsa-framework/github-actions-demo --format=json > scorecard_slsa-framework_github-actions-demo.json
Expected behavior
- Branch Protections could be improved
- CII-Best-Practices Badge could be obtained
- Project should always have reviews/CI-Tests when possible
- Project should be Fuzzed
- Dependencies should be updated regularly with automated tooling
- Repo is not maintained --> may be as a result of it being a deprecated repo
- All dependencies should be pinned via hash
- SAST Tool should be used to scan upon code commits
- Security Policy should be created
- Token Permissions should follow principle of least privilege
Screenshots
Additional context
Attempted to upload the JSON file, but github does not allow me to. Related to recommendation of securing our repos: slsa-framework/slsa#424