Adopt Secure Software Development Best Practices of OpenSSF Scorecard

[gkunz]

I'd like to propose to evaluate and (selectively) adopt secure software development best practices recommended by the Open Source Security Foundation (OpenSSF) [1]. The OpenSSF Scorecard project checks various development best practices of open source projects hosted on GitHub and provides guidance on how to improve those practices [2]. The overall goal of this issue is to adopt best practices to further mature the project.

The proposed steps include:

• running Scorecards against the ecchronos repo,
• evaluation of the scan results of Scorecards in terms of applicability,
• adoption and/or implementation of the recommendation considered feasible and valuable.

[1] https://openssf.org/
[2] https://github.com/ossf/scorecard/tree/main#scorecard-checks

[gkunz]

Below is a scan result of the current state of the repo:

Low hanging fruits seem to be

• addition of a SECURITY.MD file,
• configuration of GITHUB_TOKEN permissions,
• branch protection settings
• enable CodeQL
• enable dependabot
• pin version of GitHub actions (and manage updated through Dependabot)

Results:

    {
      "date": "2024-02-20T21:53:07+01:00",
      "repo": {
        "name": "github.com/Ericsson/puppet-module-vas",
        "commit": "9e62b6cdef75b376adc6009979c341f73131d5aa"
      },
      "scorecard": {
        "version": "(devel)",
        "commit": "unknown"
      },
      "score": 4.8,
      "checks": [
        {
          "details": null,
          "score": 10,
          "reason": "no binaries found in the repo",
          "name": "Binary-Artifacts",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts",
            "short": "Determines if the project has generated executable (binary) artifacts in the source repository."
          }
        },
        {
          "details": [
            "Warn: branch protection not enabled for branch 'master'"
          ],
          "score": 0,
          "reason": "branch protection not enabled on development/release branches",
          "name": "Branch-Protection",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection",
            "short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
          }
        },
        {
          "details": null,
          "score": 10,
          "reason": "11 out of 11 merged PRs checked by a CI test -- score normalized to 10",
          "name": "CI-Tests",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests",
            "short": "Determines if the project runs tests before pull requests are merged."
          }
        },
        {
          "details": null,
          "score": 0,
          "reason": "no effort to earn an OpenSSF best practices badge detected",
          "name": "CII-Best-Practices",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices",
            "short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
          }
        },
        {
          "details": null,
          "score": 6,
          "reason": "found 4 unreviewed changesets out of 11 -- score normalized to 6",
          "name": "Code-Review",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review",
            "short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged."
          }
        },
        {
          "details": [
            "Info: maestrodev contributor org/company found, ofa-alumni contributor org/company found, herffjones-ssg contributor org/company found, tailored-automation contributor org/company found, kodguru contributor org/company found, voxpupuli contributor org/company found, cidresearch contributor org/company found, red hat contributor org/company found, fossetcon contributor org/company found, "
          ],
          "score": 10,
          "reason": "project has 9 contributing companies or organizations",
          "name": "Contributors",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors",
            "short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
          }
        },
        {
          "details": null,
          "score": 10,
          "reason": "no dangerous workflow patterns detected",
          "name": "Dangerous-Workflow",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow",
            "short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
          }
        },
        {
          "details": [
            "Warn: tool 'RenovateBot' is not used",
            "Warn: tool 'Dependabot' is not used",
            "Warn: tool 'PyUp' is not used"
          ],
          "score": 0,
          "reason": "no update tool detected",
          "name": "Dependency-Update-Tool",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool",
            "short": "Determines if the project uses a dependency update tool."
          }
        },
        {
          "details": [
            "Warn: no OSSFuzz integration found",
            "Warn: no GoBuiltInFuzzer integration found",
            "Warn: no PythonAtherisFuzzer integration found",
            "Warn: no CLibFuzzer integration found",
            "Warn: no CppLibFuzzer integration found",
            "Warn: no SwiftLibFuzzer integration found",
            "Warn: no RustCargoFuzzer integration found",
            "Warn: no JavaJazzerFuzzer integration found",
            "Warn: no ClusterFuzzLite integration found",
            "Warn: no HaskellPropertyBasedTesting integration found",
            "Warn: no TypeScriptPropertyBasedTesting integration found",
            "Warn: no JavaScriptPropertyBasedTesting integration found"
          ],
          "score": 0,
          "reason": "project is not fuzzed",
          "name": "Fuzzing",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing",
            "short": "Determines if the project uses fuzzing."
          }
        },
        {
          "details": [
            "Info: FSF or OSI recognized license: LICENSE:1",
            "Info: License file found in expected location: LICENSE:1"
          ],
          "score": 10,
          "reason": "license file detected",
          "name": "License",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#license",
            "short": "Determines if the project has defined a license."
          }
        },
        {
          "details": null,
          "score": 10,
          "reason": "22 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10",
          "name": "Maintained",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained",
            "short": "Determines if the project is \"actively maintained\"."
          }
        },
        {
          "details": [
            "Warn: no GitHub/GitLab publishing workflow detected."
          ],
          "score": -1,
          "reason": "packaging workflow not detected",
          "name": "Packaging",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging",
            "short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
          }
        },
        {
          "details": [
            "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/run-pdk-tests-on-puppet-7.yml:12",
            "Warn: third-party GitHubAction not pinned by hash: .github/workflows/run-pdk-tests-on-puppet-7.yml:16",
            "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/run-pdk-tests-on-puppet-8.yml:12",
            "Warn: third-party GitHubAction not pinned by hash: .github/workflows/run-pdk-tests-on-puppet-8.yml:16",
            "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/run-pdk-validate.yml:13",
            "Warn: third-party GitHubAction not pinned by hash: .github/workflows/run-pdk-validate.yml:17",
            "Warn: containerImage not pinned by hash: .devcontainer/Dockerfile:1: pin your Docker image by updating puppet/pdk:latest to puppet/pdk:latest@sha256:5a09d85e064e67d0884523e28ed2ceaf1f90f1aa8608374e3e42e4467951e422",
            "Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned",
            "Info:   0 out of   3 third-party GitHubAction dependencies pinned",
            "Info:   0 out of   1 containerImage dependencies pinned"
          ],
          "score": 0,
          "reason": "dependency not pinned by hash detected -- score normalized to 0",
          "name": "Pinned-Dependencies",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies",
            "short": "Determines if the project has declared and pinned the dependencies of its build process."
          }
        },
        {
          "details": [
            "Warn: 0 commits out of 30 are checked with a SAST tool"
          ],
          "score": 0,
          "reason": "SAST tool is not run on all commits -- score normalized to 0",
          "name": "SAST",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast",
            "short": "Determines if the project uses static code analysis."
          }
        },
        {
          "details": [
            "Warn: no security policy file detected",
            "Warn: no security file to analyze",
            "Warn: no security file to analyze",
            "Warn: no security file to analyze"
          ],
          "score": 0,
          "reason": "security policy file not detected",
          "name": "Security-Policy",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy",
            "short": "Determines if the project has published a security policy."
          }
        },
        {
          "details": null,
          "score": -1,
          "reason": "no releases found",
          "name": "Signed-Releases",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases",
            "short": "Determines if the project cryptographically signs release artifacts."
          }
        },
        {
          "details": [
            "Warn: no topLevel permission defined: .github/workflows/run-pdk-tests-on-puppet-7.yml:1",
            "Warn: no topLevel permission defined: .github/workflows/run-pdk-tests-on-puppet-8.yml:1",
            "Warn: no topLevel permission defined: .github/workflows/run-pdk-validate.yml:1",
            "Info: no jobLevel write permissions found"
          ],
          "score": 0,
          "reason": "detected GitHub workflow tokens with excessive permissions",
          "name": "Token-Permissions",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions",
            "short": "Determines if the project's workflows follow the principle of least privilege."
          }
        },
        {
          "details": null,
          "score": 10,
          "reason": "0 existing vulnerabilities detected",
          "name": "Vulnerabilities",
          "documentation": {
            "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
            "short": "Determines if the project has open, known unfixed vulnerabilities."
          }
        }
      ],
      "metadata": null
    }

[gkunz]

@Phil-Friderici @anders-larsson:

Quick update: the ScoreCards score of the repo is up from 4.8 to 6.6!

I am going to address two more ScoreCards recommendations shortly.

• branch protection: this repo does not have any branches except for the master branch. Would it work for your workflow to block force-pushes and instead always requiring PRs with X reviewers (where X == 1)? In case you can see the settings, I prepared a repo rule, but didn't activate it yet: https://github.com/Ericsson/puppet-module-vas/settings/rules/444115
• a Security.md file. This would be a boilerplace file pointing to the private vulnerability reporting feature of GitHub (which I would enable for the repo, too).

Thanks
Georg

[anders-larsson]

Hi,

Sounds OK. I was looking at adding branch production but it appears we lost access to that functionality. I'm all for enabling it though.

BR

[gkunz]

@anders-larsson The intention is that you should be able to maintain these settings for your projects. I have upgraded your team to the admin role for the puppet repos.

[Phil-Friderici]

Both options (branch protection / security.md) sounds good to me too.

[gkunz]

Thanks for the feedback. I just enabled the branch protection rules.