OSSF Scorecard #2650
Description
Huge fan of the project! Would it be feasible to implement a few items to improve the OSSF Scorecard result?
From a run today, these were the critical issues that seem like relatively quick wins:
Pinned-Dependencies
Score: 0/10 🚨 Critical
Status: dependency not pinned by hash detected -- score normalized to 0
Info: Determines if the project has declared and pinned the dependencies of its build process.
Docs: https://github.com/ossf/scorecard/blob/80ee3ecfedf8b19ab8991713a9fdb2e7dcd7262e/docs/checks.md#pinned-dependencies
Security-Policy
Score: 0/10 🚨 Critical
Status: security policy file not detected
Info: Determines if the project has published a security policy.
Docs: https://github.com/ossf/scorecard/blob/80ee3ecfedf8b19ab8991713a9fdb2e7dcd7262e/docs/checks.md#security-policy
Signed-Releases
Score: 0/10 🚨 Critical
Status: Project has not signed or included provenance with any releases.
Info: Determines if the project cryptographically signs release artifacts.
Docs: https://github.com/ossf/scorecard/blob/80ee3ecfedf8b19ab8991713a9fdb2e7dcd7262e/docs/checks.md#signed-releases
Token-Permissions
Score: 0/10 🚨 Critical
Status: detected GitHub workflow tokens with excessive permissions
Info: Determines if the project's workflows follow the principle of least privilege.
Docs: https://github.com/ossf/scorecard/blob/80ee3ecfedf8b19ab8991713a9fdb2e7dcd7262e/docs/checks.md#token-permissions
The last one is already partly implemented by #1168 - just need to add the top-level permissions: section to the other items in .github/workflows, I think.