W
Web513mo ago
ALR

OSSF Scorecard

Still to be inspected and configured; I've installed the OSSF Scorecard as a GitHub Action into the Dev Site repo. There's now a badge on the README showing the latest report run (triggered on every commit). It generates a report like: https://securityscorecards.dev/viewer/?uri=github.com/TBD54566975/developer.tbd.website
23 Replies
ALR
ALROP13mo ago
More about OSSF Scorecards: https://securityscorecards.dev/
undefined
Home
Quickly assess open source projects for risky practices
michaelneale
michaelneale13mo ago
@ALR looks good - I don't see it mention licensed of transitive dependencies though
ALR
ALROP13mo ago
Yeah it doesn’t do that This is scoring the repo in question Snyk and Mend do that
michaelneale
michaelneale13mo ago
similar to renovatebot etc - a good project should be wary of bringing in things to adhere to the license policy yeah, exactly also, I may type licence as well as license interchangeable I like that scorecard
ALR
ALROP13mo ago
Yeah the scorecard is a nice featureset
michaelneale
michaelneale13mo ago
all this stuff is grown up now
ALR
ALROP13mo ago
And I’d use it in combination with something like Snyk or Mend, which do dependency scanning
michaelneale
michaelneale13mo ago
yep
ALR
ALROP13mo ago
Really the topic of supply chain security is a comprehensive set of areas to cover, each with a tool chain that solves some dimensions Securing things in the audit trail source to distro and everything inbetween (Followers - I’ve an internal doc outlining all areas to cover, haven’t vetted it yet for sharing publicly as this involves security for our ecosystem)
michaelneale
michaelneale13mo ago
we have been slightly bitten by licenses from time to time, so good to shift as many checks left as we can (which snyk/mend can do)
ALR
ALROP13mo ago
Yep And for dependency scanning I have the sense we’ll be choosing one of those anyway Unless dependabot really impresses. Going to talk to the GitHub folks about that too
michaelneale
michaelneale13mo ago
its weird I know the founders of whitesource (mend) and snyk well just co-incidence yeah - it does a lot of what snyk did for the basics/commodity of upgrading
ALR
ALROP13mo ago
It’s a small world in OSS
michaelneale
michaelneale13mo ago
it is
ALR
ALROP13mo ago
For this too I want a unified Dashboard across projects Else we have to look after dependencies one by one in each repo - and configure those builds to fail in case a vuln is detected Way too adhoc for my taste Want the whole suite of projects secured
michaelneale
michaelneale13mo ago
Mend does a nice dashboard and reports
ALR
ALROP13mo ago
Yep Snyk too
michaelneale
michaelneale13mo ago
so does snyk - I still get emails about it yeah
ALR
ALROP13mo ago
Dependabot I am not sure what we’d need to build to consolidate
michaelneale
michaelneale13mo ago
I can see ALR running a jenkins in his basement no school like the old school
ALR
ALROP13mo ago
You know I used to
ALR
ALROP13mo ago
Literally on this
No description
ALR
ALROP13mo ago
Did I ever break a JBoss Application Server build? Hell no. Because I ran my own full testsuite before it ever hit main 🤣
Want results from more Discord servers?
Add your server