pre-commit-terraform icon indicating copy to clipboard operation
pre-commit-terraform copied to clipboard
verified publisher icon antonbabenko

Improve OpenSSF score

Open nitrocode opened this issue 1 year ago β€’ 9 comments

What problem are you facing?

Adoption in a new organization

How could pre-commit-terraform help solve your problem?

Renovatebot includes an openssf score on every PR update for this repo. Due to low scores, this can irk developers and management.

Please consider improving the OpenSSF score of this repo. Current score is 6.7 which is not and could be better. The higher the score, the more objective integrity the community will have towards the project.

https://github.com/ossf/scorecard

https://securityscorecards.dev/viewer/?uri=github.com/antonbabenko/pre-commit-terraform

image

Some small improvements

  • Add OpenSSF Best Practices Badge
  • Use hadolint and shellcheck to pin dependencies
  • Token Permissions in .github/workflows/* would improve it a lot
  • etc

Some big improvements

  • Create official releases and sign them
  • etc

nitrocode avatar Sep 03 '24 14:09 nitrocode

@nitrocode can you please point me where you find such score in Renovate PRs for pre-commit hooks?

image

MaxymVlasov avatar Sep 03 '24 16:09 MaxymVlasov

We definitely want 9+/10, but firstly I need to understand how to enable such scores for Renovate, as I never disable it in https://github.com/SpotOnInc/renovate-config/blob/main/default.template.json5

MaxymVlasov avatar Sep 03 '24 16:09 MaxymVlasov

Hi @MaxymVlasov, this is how I have enabled the scores in some orgs for renovate PRs

https://docs.renovatebot.com/presets-security/#securityopenssf-scorecard

nitrocode avatar Sep 03 '24 19:09 nitrocode

Also the results may be better by adopting the GitHub action. This should get the branch protections

https://github.com/ossf/scorecard-action

nitrocode avatar Sep 04 '24 12:09 nitrocode

This can be partially mitigated by https://app.stepsecurity.io/securerepo, as it can provision part of stuff automatically

MaxymVlasov avatar Jan 23 '25 22:01 MaxymVlasov

StepSecurity is very nice at quickly improving some areas that OpenSSF scorecard detects, so once the StepSecurity PR is merged, the OpenSSF score should also increase.

I think it would still be valuable to integrate the OpenSSF scorecard banner to showcase the score and add the action to help improve the score.

Since opening this, we have seen the score improve from 6.7 to 7.0 πŸ˜„

nitrocode avatar Jan 24 '25 05:01 nitrocode

Oh Thanks Maxym, I just noticed your PRs #777 and #780.

nitrocode avatar Jan 24 '25 05:01 nitrocode

Since opening this, we have seen the score improve from 6.7 to 7.0 πŸ˜„

Should we try and close/re-open this more times to get score improved even further? 🀣

yermulnik avatar Jan 24 '25 13:01 yermulnik

Lol, nah. I'll add a badge to README, that will report status every day and on each commit to master, to simplify tracking of it

MaxymVlasov avatar Jan 24 '25 14:01 MaxymVlasov

Future score can be improved only by adding Fuzzing, which is N/A for bash hooks. I close it, as 8.6-8.7 is good enough

MaxymVlasov avatar Jul 02 '25 18:07 MaxymVlasov

Thanks for your hard work at improving the score and securing the repo.

If you see any other repos in the org or otherwise, please consider using it. There are a surprising number of vulnerable repos I've seen bubbled up by renovate prs and it's made us reconsider dependencies.

nitrocode avatar Jul 05 '25 21:07 nitrocode