Skip to content

docs(profile): add OpenSSF Scorecard badge to trust-signal row#42

Merged
amavashev merged 1 commit into
mainfrom
docs/profile-scorecard-badge
May 2, 2026
Merged

docs(profile): add OpenSSF Scorecard badge to trust-signal row#42
amavashev merged 1 commit into
mainfrom
docs/profile-scorecard-badge

Conversation

@amavashev
Copy link
Copy Markdown
Contributor

@amavashev amavashev commented May 2, 2026

Adds the live OpenSSF Scorecard badge (auto-updates from api.scorecard.dev) alongside the existing License / Release / CI / Coverage row.

Score basis

cycles-server: 7.4/10 as of 2026-05-02 — already above the publishable threshold (≥7).

Why this is meaningful

The Scorecard is the only independent third-party security signal in the badge row. Everything else (license, release version, CI green, coverage %) is self-reported. Scorecard is computed by OpenSSF based on observable repo state — branch protection, signed commits, dependency review, pinned dependencies, token permissions, vulnerability disclosure, SAST coverage, etc.

Background

This badge caps a session of supply-chain hardening work:

  • All 13 high-value runcycles repos now run the Scorecard workflow (cycles-server + 5 SDKs + 5 services + cycles-protocol + .github)
  • cycles-server hardened from 6.1 → 7.4 via three PRs:
    • #143 — pin all third-party action SHAs
    • #144 — tighten workflow token permissions to read-all + per-job scopes
    • #145 — patch Alpine gnutls (CVE-2026-33845 + 12 bundled gnutls CVEs)
  • The other 12 repos got the same SHA-pin + permissions sweep; their next scheduled scan should land in similar territory

Future improvements that could push above 8

  • CII Best Practices badge (separate questionnaire submission at bestpractices.coreinfrastructure.org). Realistic Passing today; Silver after small additions.
  • Branch-Protection check currently scores -1 ("internal error"). Setting up a Scorecard PAT with admin:repo scope would unblock the check and likely add ~0.5 to the overall score.
  • Code-Review check scores 0/10 because solo merges don't have approval signatures. Fixable only with another reviewer in the rotation.

Test plan

@amavashev
docs(profile): add OpenSSF Scorecard badge to trust-signal row
4de772a 
Live badge from api.scorecard.dev for cycles-server (the reference impl).
Currently 7.4/10. Auto-updates on every Scorecard scan (push to main,
branch protection changes, weekly).

This badge surfaces an independent third-party security signal alongside
the existing License / Release / CI / Coverage row. Together they cover:
license + active shipping + tested + well-tested + audited supply chain.

Background:
- All 13 high-value runcycles repos now run the Scorecard workflow
- cycles-server hardened from 6.1 → 7.4 via SHA pinning (PR #143),
  permission tightening (PR #144), Alpine gnutls patch (PR #145)
- The other 12 repos got the same SHA-pin + permissions sweep; their
  next Scorecard scan should land in similar territory

Future improvements that would push this above 8:
- OpenSSF CII Best Practices badge (separate questionnaire submission)
- Branch protection scorecard PAT (currently '-1' Internal Error on
  Branch-Protection check; setting up admin:repo PAT would unblock)
@amavashev amavashev merged commit 48cd754 into main May 2, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amavashev