Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OSSF Scorecard #6769

Merged
merged 7 commits into from
Mar 20, 2024
Merged

Add OSSF Scorecard #6769

merged 7 commits into from
Mar 20, 2024

Conversation

matmair
Copy link
Contributor

@matmair matmair commented Mar 20, 2024
edited

This adds an action to run the OSSF scorecard check regularly. The scorecard project checks for accordance with best practices - with a focus on security.

WARNING: this will start opening security/code scanning notices when it finds things, not everything needs to be acted on immediately. I would triage those for the next few weeks till it gets quiet

This PR also includes a few initial (automatic) security process improvements:

  • dependabot settings (automatically checks for vulnerabilities in our lock files daily)
  • adjust permissions for workflows (explicitly set them low)
  • pins a few actions that where forgotten
  • adds a pre-commit step to check for security issues in the settings

matmair and others added 5 commits March 20, 2024 21:37
@matmair
Create scorecard.yml
4c336ed
@matmair
Add badge
e39f649
@matmair
Merge branch 'inventree:master' into OSSF_score
b574267
@matmair
disable publishing
8eebbbb
@matmair @step-security-bot
Add security improvements (#181)
fbde894 
* Add OSSF Scorecard (#179)

* Create scorecard.yml

* Add badge

* disable publishing

* [StepSecurity] Apply security best practices (#180)

* [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

* Update .pre-commit-config.yaml

* Update dependabot.yml

* Delete .github/workflows/dependency-review.yml

---------

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: Matthias Mair <code@mjmair.com>

---------

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: StepSecurity Bot <bot@stepsecurity.io>
@matmair matmair added CI CI / unit testing ecosystem security Relates to a security issue labels Mar 20, 2024
@matmair matmair self-assigned this Mar 20, 2024
@netlify Netlify
Copy link

netlify bot commented Mar 20, 2024
edited

Deploy Preview for inventree-web-pui-preview canceled.

Name Link
🔨 Latest commit 88f0723
🔍 Latest deploy log https://app.netlify.com/sites/inventree-web-pui-preview/deploys/65fb506ca427dd0008f9535b

@matmair matmair marked this pull request as ready for review March 20, 2024 21:15
@matmair
Copy link
Contributor Author

matmair commented Mar 20, 2024

No idea why the link checks are failing but read for review @SchrodingersGat

@matmair matmair added the enhancement This is an suggested enhancement or new feature label Mar 20, 2024
@SchrodingersGat SchrodingersGat merged commit b46b200 into inventree:master Mar 20, 2024
21 of 22 checks passed
@SchrodingersGat
Copy link
Member

@matmair thanks for implementing this

@matmair matmair deleted the OSSF_score branch March 21, 2024 00:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SchrodingersGat SchrodingersGat SchrodingersGat approved these changes

Assignees

@matmair matmair

Labels
CI CI / unit testing ecosystem enhancement This is an suggested enhancement or new feature security Relates to a security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@matmair @SchrodingersGat