Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Score OpenSSF #2958

Open
AClerbois opened this issue Nov 20, 2024 · 1 comment
Open

Score OpenSSF #2958

AClerbois opened this issue Nov 20, 2024 · 1 comment
Labels
triage New issue. Needs to be looked at

Comments

@AClerbois
Copy link
Contributor

Hello Boys,

I've just run the tool OpenSSF on my machine.

My objectif was to evaluate the product and share the result with you.

More information about OpenSSF on the Microsoft DevBlogs article

This is the final result :

RESULTS

Aggregate score: 6.9 / 10

Check scores :

SCORE NAME REASON DETAILS DOCUMENTATION/REMEDIATION
10 / 10 Binary-Artifacts no binaries found in the repo Binary Artifacts Check
8 / 10 Branch-Protection branch protection is not maximal on development and all release branches Info: 'allow deletion' disabled on branch 'dev'; Info: 'force pushes' disabled on branch 'dev'; Info: required approving review count is 1 on branch 'dev' Branch Protection Check
10 / 10 CI-Tests 16 out of 16 merged PRs checked by a CI test -- score normalized to 10 CI Tests Check
0 / 10 CII-Best-Practices no effort to earn an OpenSSF best practices badge detected CII Best Practices Check
5 / 10 Code-Review Found 15/30 approved changesets -- score normalized to 5 Code Review Check
10 / 10 Contributors project has 28 contributing companies or organizations Contributors Check
10 / 10 Dangerous-Workflow no dangerous workflow patterns detected Dangerous Workflow Check
10 / 10 Dependency-Update-Tool update tool detected Info: detected update tool: Dependabot Dependency Update Tool Check
0 / 10 Fuzzing project is not fuzzed Warn: no fuzzer integrations found Fuzzing Check
10 / 10 License license file detected Info: project has a license file: LICENSE:0 Info: FSF or OSI recognized license: MIT License License Check
10 / 10 Maintained 30 commit(s) and 28 issue activity found in the last 90 days -- score normalized to 10 Maintained Check
? Packaging packaging workflow not detected Warn: no GitHub/GitLab publishing workflow detected Packaging Check
0 / 10 Pinned-Dependencies dependency not pinned by hash Warn: GitHub-owned GitHubAction not pinned by hash Pinned Dependencies Check
7 / 10 SAST SAST tool detected but not run on all commits Info: SAST configuration detected: CodeQL Warn: 0 commits out of 16 are checked with a SAST tool SAST Check
10 / 10 Security-Policy security policy file detected Info: security policy file detected: SECURITY.md:1 Security Policy Check
? Signed-Releases no releases found Signed Releases Check
0 / 10 Token-Permissions detected GitHub workflow tokens with excessive permissions Warn: jobLevel 'checks' permission set to 'write' Token Permissions Check
8 / 10 Vulnerabilities 2 existing vulnerabilities detected Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275, GHSA-952p-6rrq-rcjv Vulnerabilities Check

In my point of view, this result is really interesting to be displayed, we can plan to integrate the badge and try to improve the score with best Open Source practises proposed : https://scorecard.dev/#run-the-checks

Br,

Adrien C.

@microsoft-github-policy-service microsoft-github-policy-service bot added the triage New issue. Needs to be looked at label Nov 20, 2024
@vnbaaij
Copy link
Collaborator

vnbaaij commented Nov 20, 2024

Interesting indeed... but yet another thing we would need to maintain.

Not sure if we have bandwidth for that. Might be that some are low hanging fruit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
triage New issue. Needs to be looked at
Projects
None yet
Development

No branches or pull requests

2 participants