Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSF Checklist items #1632

Open
2 tasks
EnriqueL8 opened this issue Feb 4, 2025 · 0 comments
Open
2 tasks

OpenSSF Checklist items #1632

EnriqueL8 opened this issue Feb 4, 2025 · 0 comments
Assignees
@EnriqueL8
Labels
enhancement New feature or request priority

Comments

@EnriqueL8
Copy link
Contributor

EnriqueL8 commented Feb 4, 2025
edited
Loading

What would you like to be added?

We have recently enabled the OpenSSF Scorecard action and there is work to be done to match the new project lifecycle establish by the Technical Advisory Council of the LFDT documented at https://github.com/LF-Decentralized-Trust/governance/blob/main/tac/governing-documents/project-lifecycle.md

I find the pinned-dependencies extremely excessive, we are specifying a version on the GitHub Action of v4 for example but the scorecard wants a hash.

Looking at the latest scorecard

{
  "date": "2025-02-04T10:59:25Z",
  "repo": {
    "name": "github.com/hyperledger/firefly",
    "commit": "53e42cd8b07e5a16e1c54516c26d1e53e603778d"
  },
  "scorecard": {
    "version": "v4.13.1",
    "commit": "49c0eed3a423f00c872b5c3c9f1bbca9e8aae799"
  },
  "score": 5.5,
  "checks": [
    {
      "name": "Binary-Artifacts",
      "score": 10,
      "reason": "no binaries found in the repo",
      "details": null,
      "documentation": {
        "short": "Determines if the project has generated executable (binary) artifacts in the source repository.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#binary-artifacts"
      }
    },
    {
      "name": "Branch-Protection",
      "score": 1,
      "reason": "branch protection is not maximal on development and all release branches",
      "details": [
        "Info: 'force pushes' disabled on branch 'main'",
        "Info: 'allow deletion' disabled on branch 'main'",
        "Info: status checks require up-to-date branches for 'main'",
        "Info: 'last push approval' enabled on branch 'main'",
        "Info: status check found to merge onto on branch 'main'",
        "Warn: number of required reviewers is only 1 on branch 'main'",
        "Info: stale review dismissal enabled on branch 'main'",
        "Warn: settings do not apply to administrators on branch 'main'",
        "Info: codeowner review is required on branch 'main'",
        "Info: 'force pushes' disabled on branch 'release-1.2'",
        "Warn: 'allow deletion' enabled on branch 'release-1.2'",
        "Warn: status checks do not require up-to-date branches for 'release-1.2'",
        "Warn: 'last push approval' disabled on branch 'release-1.2'",
        "Info: status check found to merge onto on branch 'release-1.2'",
        "Warn: number of required reviewers is 0 on branch 'release-1.2'",
        "Warn: stale review dismissal disabled on branch 'release-1.2'",
        "Warn: settings do not apply to administrators on branch 'release-1.2'",
        "Warn: codeowner review is not required on branch 'release-1.2'",
        "Info: 'force pushes' disabled on branch 'release-1.1'",
        "Warn: 'allow deletion' enabled on branch 'release-1.1'",
        "Warn: status checks do not require up-to-date branches for 'release-1.1'",
        "Warn: 'last push approval' disabled on branch 'release-1.1'",
        "Info: status check found to merge onto on branch 'release-1.1'",
        "Warn: number of required reviewers is 0 on branch 'release-1.1'",
        "Warn: stale review dismissal disabled on branch 'release-1.1'",
        "Warn: settings do not apply to administrators on branch 'release-1.1'",
        "Warn: codeowner review is not required on branch 'release-1.1'",
        "Info: 'force pushes' disabled on branch 'release-1.0'",
        "Warn: 'allow deletion' enabled on branch 'release-1.0'",
        "Warn: status checks do not require up-to-date branches for 'release-1.0'",
        "Warn: 'last push approval' disabled on branch 'release-1.0'",
        "Info: status check found to merge onto on branch 'release-1.0'",
        "Warn: number of required reviewers is 0 on branch 'release-1.0'",
        "Warn: stale review dismissal disabled on branch 'release-1.0'",
        "Warn: settings do not apply to administrators on branch 'release-1.0'",
        "Warn: codeowner review is not required on branch 'release-1.0'"
      ],
      "documentation": {
        "short": "Determines if the default and release branches are protected with GitHub's branch protection settings.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#branch-protection"
      }
    },
    {
      "name": "CI-Tests",
      "score": 8,
      "reason": "6 out of 7 merged PRs checked by a CI test -- score normalized to 8",
      "details": null,
      "documentation": {
        "short": "Determines if the project runs tests before pull requests are merged.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#ci-tests"
      }
    },
    {
      "name": "CII-Best-Practices",
      "score": 5,
      "reason": "badge detected: passing",
      "details": null,
      "documentation": {
        "short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#cii-best-practices"
      }
    },
    {
      "name": "Code-Review",
      "score": 4,
      "reason": "found 8 unreviewed changesets out of 14 -- score normalized to 4",
      "details": null,
      "documentation": {
        "short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#code-review"
      }
    },
    {
      "name": "Contributors",
      "score": 10,
      "reason": "19 different organizations found -- score normalized to 10",
      "details": [
        "Info: contributors work for *instinctools,AdoptOpenJDK,LF-Decentralized-Trust,MyHoneyBadger,PQCA,StartupBot,Superlogic,appsody,chelexa,hyperledger,ibmruntimes,kaleido-io,kaleido.io,linuxfoundation,new york university,openwallet-foundation,rust-lang,uber,uber-common"
      ],
      "documentation": {
        "short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies).",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#contributors"
      }
    },
    {
      "name": "Dangerous-Workflow",
      "score": 10,
      "reason": "no dangerous workflow patterns detected",
      "details": null,
      "documentation": {
        "short": "Determines if the project's GitHub Action workflows avoid dangerous patterns.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#dangerous-workflow"
      }
    },
    {
      "name": "Dependency-Update-Tool",
      "score": 10,
      "reason": "update tool detected",
      "details": [
        "Info: tool 'Dependabot' is used: :0"
      ],
      "documentation": {
        "short": "Determines if the project uses a dependency update tool.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#dependency-update-tool"
      }
    },
    {
      "name": "Fuzzing",
      "score": 0,
      "reason": "project is not fuzzed",
      "details": [
        "Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
        "Warn: no PythonAtherisFuzzer integration found: Follow the steps in https://github.com/google/atheris to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
        "Warn: no CLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
        "Warn: no CppLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
        "Warn: no SwiftLibFuzzer integration found: Follow the steps in https://google.github.io/oss-fuzz/getting-started/new-project-guide/swift-lang/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
        "Warn: no RustCargoFuzzer integration found: Follow the steps in https://rust-fuzz.github.io/book/cargo-fuzz.html to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
        "Warn: no JavaJazzerFuzzer integration found: Follow the steps in https://github.com/CodeIntelligenceTesting/jazzer to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
        "Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project:\nQuickCheck: https://hackage.haskell.org/package/QuickCheck\nhedgehog: https://hedgehog.qa/\nvalidity: https://github.com/NorfairKing/validity\nsmallcheck: https://hackage.haskell.org/package/smallcheck\nhspec: https://hspec.github.io/\ntasty: https://hackage.haskell.org/package/tasty (High effort)",
        "Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)",
        "Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)"
      ],
      "documentation": {
        "short": "Determines if the project uses fuzzing.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#fuzzing"
      }
    },
    {
      "name": "License",
      "score": 10,
      "reason": "license file detected",
      "details": [
        "Info: License file found in expected location: LICENSE:1",
        "Info: FSF or OSI recognized license: LICENSE:1"
      ],
      "documentation": {
        "short": "Determines if the project has defined a license.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#license"
      }
    },
    {
      "name": "Maintained",
      "score": 10,
      "reason": "30 commit(s) out of 30 and 8 issue activity out of 30 found in the last 90 days -- score normalized to 10",
      "details": null,
      "documentation": {
        "short": "Determines if the project is \"actively maintained\".",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#maintained"
      }
    },
    {
      "name": "Packaging",
      "score": 10,
      "reason": "publishing workflow detected",
      "details": [
        "Info: GitHub/GitLab publishing workflow used in run https://api.github.com/repos/hyperledger/firefly/actions/runs/13132654212: .github/workflows/docker_main.yml:12"
      ],
      "documentation": {
        "short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#packaging"
      }
    },
    {
      "name": "Pinned-Dependencies",
      "score": 0,
      "reason": "dependency not pinned by hash detected -- score normalized to 0",
      "details": [
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker_main.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/docker_main.yml/main?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker_main.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/docker_main.yml/main?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker_main.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/docker_main.yml/main?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker_main.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/docker_main.yml/main?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker_main.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/docker_main.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker_release.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/docker_release.yml/main?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker_release.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/docker_release.yml/main?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker_release.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/docker_release.yml/main?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker_release.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/docker_release.yml/main?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker_release.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/docker_release.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/docs.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/go.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/go.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/go.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:139: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/go.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:144: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/go.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:149: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/go.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:168: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/go.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/go.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/go.yml/main?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/go.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/go.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/integration.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/integration.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/integration.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yml:87: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/integration.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/integration.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yml:114: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/integration.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/scorecard.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/scorecard.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/solidity.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/solidity.yml/main?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/solidity.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/solidity.yml/main?enable=pin",
        "Warn: containerImage not pinned by hash: Dockerfile:14",
        "Warn: containerImage not pinned by hash: Dockerfile:35",
        "Warn: containerImage not pinned by hash: Dockerfile:52",
        "Warn: containerImage not pinned by hash: Dockerfile:64",
        "Warn: containerImage not pinned by hash: Dockerfile:73",
        "Warn: downloadThenRun not pinned by hash: Dockerfile:68",
        "Warn: pipCommand not pinned by hash: .github/workflows/docs.yml:36",
        "Info:   1 out of  23 GitHub-owned GitHubAction dependencies pinned",
        "Info:   1 out of  10 third-party GitHubAction dependencies pinned",
        "Info:   0 out of   1 pipCommand dependencies pinned",
        "Info:   1 out of   1 npmCommand dependencies pinned",
        "Info:   0 out of   5 containerImage dependencies pinned",
        "Info:   0 out of   1 downloadThenRun dependencies pinned"
      ],
      "documentation": {
        "short": "Determines if the project has declared and pinned the dependencies of its build process.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#pinned-dependencies"
      }
    },
    {
      "name": "SAST",
      "score": 0,
      "reason": "SAST tool is not run on all commits -- score normalized to 0",
      "details": [
        "Warn: 0 commits out of 22 are checked with a SAST tool",
        "Warn: CodeQL tool not detected"
      ],
      "documentation": {
        "short": "Determines if the project uses static code analysis.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#sast"
      }
    },
    {
      "name": "Security-Policy",
      "score": 9,
      "reason": "security policy file detected",
      "details": [
        "Info: security policy file detected: SECURITY.md:1",
        "Info: Found linked content: SECURITY.md:1",
        "Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nAdd a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)",
        "Info: Found text in security policy: SECURITY.md:1"
      ],
      "documentation": {
        "short": "Determines if the project has published a security policy.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#security-policy"
      }
    },
    {
      "name": "Signed-Releases",
      "score": -1,
      "reason": "no releases found",
      "details": [
        "Warn: no GitHub releases found"
      ],
      "documentation": {
        "short": "Determines if the project cryptographically signs release artifacts.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#signed-releases"
      }
    },
    {
      "name": "Token-Permissions",
      "score": 0,
      "reason": "detected GitHub workflow tokens with excessive permissions",
      "details": [
        "Warn: no topLevel permission defined: .github/workflows/docker_main.yml:1: Visit https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/docker_main.yml/main?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/docker_main.yml:15",
        "Warn: no topLevel permission defined: .github/workflows/docker_release.yml:1: Visit https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/docker_release.yml/main?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/docker_release.yml:12",
        "Warn: no topLevel permission defined: .github/workflows/docs.yml:1: Visit https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/docs.yml/main?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Warn: jobLevel 'contents' permission set to 'write': .github/workflows/docs.yml:14: Verify which permissions are needed and consider whether you can reduce them. (High effort)",
        "Warn: no topLevel permission defined: .github/workflows/go.yml:1: Visit https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/go.yml/main?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Warn: no topLevel permission defined: .github/workflows/integration.yml:1: Visit https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/integration.yml/main?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18",
        "Warn: no topLevel permission defined: .github/workflows/solidity.yml:1: Visit https://app.stepsecurity.io/secureworkflow/hyperledger/firefly/solidity.yml/main?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)"
      ],
      "documentation": {
        "short": "Determines if the project's workflows follow the principle of least privilege.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#token-permissions"
      }
    },
    {
      "name": "Vulnerabilities",
      "score": 0,
      "reason": "15 existing vulnerabilities detected",
      "details": [
        "Warn: Project is vulnerable to: GHSA-8r3f-844c-mc37 / GO-2024-2611",
        "Warn: Project is vulnerable to: GHSA-8hc4-vh64-cxmj",
        "Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg",
        "Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x",
        "Warn: Project is vulnerable to: GHSA-434g-2637-qmqr",
        "Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m",
        "Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw",
        "Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p",
        "Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747",
        "Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv",
        "Warn: Project is vulnerable to: GHSA-584q-6j8j-r5pm",
        "Warn: Project is vulnerable to: GHSA-9qxr-qj54-h672",
        "Warn: Project is vulnerable to: GHSA-m4v8-wqvr-p9f7",
        "Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975",
        "Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q"
      ],
      "documentation": {
        "short": "Determines if the project has open, known unfixed vulnerabilities.",
        "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#vulnerabilities"
      }
    }
  ]
}

Why is this needed?

This is needed to match the requirements set by the LFDT
@EnriqueL8 EnriqueL8 added enhancement New feature or request priority labels Feb 4, 2025
@EnriqueL8 EnriqueL8 self-assigned this Feb 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EnriqueL8 EnriqueL8

Labels
enhancement New feature or request priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@EnriqueL8