Add OpenSSF Best Practices #61
Comments
claudioandre-br
added
documentation
Accepted. |
|
Thank you. |
|
Done. |
|
@claudioandre-br Somehow today I got the codefactor.io authorization again, and approved it again. What's worse, I don't see it among the approved third-party apps - I only see Azure Pipelines and Travis CI there. Also, the authorization request is worded as granting access to "private resources", which doesn't sound like something we actually want here (what private resources? we have no private repos). Here's what those e-mails say: |
I saw this happening more than once (you need to authorize twice). There are two connectors Github x Codefactor. Don't ask why, I don't kwow the answer. Both links to my settings(?) page. Now codefactor badge and repo grade are updated (so, things are fully working). It wasn't some time ago. I guess we can use codefactor in private repositories. Since they don't exist, we are safe. If you create one later, we can review or revoke the setting. We can also revoke the access now and see what happens (it only needs to create a webhook once). No need to request to go to your medical doctor with you. |
|
The remaining issues are listed below [1]:
[1] Ok, the content present here (the project itself) is simple.
|
@claudioandre-br I hope those links you posted are not security-sensitive, but just in case we might want to remove them from here. The IDs in them appear specific to your account anyway, so not useful here. |
Don't worry, if Github is drunk and you can access them, you need to provide 2FA/MFA. |
I meant that attacks on web apps often involve tricky and unexpected interactions of different things, and a copy of some normally secret material, even if not sufficient on its own, could turn out to be precisely the missing bit for a successful attack. But I don't worry much. |
|
I removed it (also from history). |
|
Follow up:
Codefactor.io is an OAuth application. It's nothing or everything. I think this will get better some day; we all agree that the request is invasive. An evolution:
Above, an example of another Github app (which does something else). Newer and better. The wording is the same, but it allows people to adjust what is shared. |
|
@claudioandre-br Do you suggest any specific action now? Do you need anything from me? |
|
No, thanks. Github should enforce best practices and all these companies (codefactor is the focus now) should invest in improvements. |
|
@claudioandre-br I mean, do we possibly need to revoke permissions? If you're not going to use this app. |
|
I'm afraid it will stop working properly sometime if we revoke the permissions. But, if you feel uncomfortable with the current permissions, I think you can revoke without removing. I enjoy the checking they are doing. |
|
@claudioandre-br Oh, OK. I think I misinterpreted some of what you wrote. I'll leave things as they are for now. |
claudioandre-br
added
the
Done
1. Is your feature request related to a problem? Please describe.
Audit this repository as seen at https://bestpractices.coreinfrastructure.org/projects/7525
2. Describe the solution you'd like
Add the checklist for the repository practices.
3. Additional context
OpenSSF Best Practices
@solardiz , when you have some free time could you please accept the access request you (probably) received some days ago?
This will authorize codefactor (https://www.codefactor.io/repository/github/openwall/john-packages) to run and scan all commits.
The text was updated successfully, but these errors were encountered: