Skip to content

setup OSSF Scorecard workflow #1432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 25, 2024
Merged

setup OSSF Scorecard workflow #1432

merged 1 commit into from
Nov 25, 2024

Conversation

mmorel-35
Copy link
Contributor

@mmorel-35 mmorel-35 commented Jan 12, 2024
edited
Loading

Also pin github-actions versions

OpenSSF Scorecard

Signed-off-by: Matthieu MOREL matthieu.morel35@gmail.com
@ArthurSens
Copy link
Member

Hey 👋 -- thanks for the contribution.

Could you provide details about the OSSF scorecard and why we want to maintain it? Please assume I have no knowledge about what it is 😬
@mmorel-35
Copy link
Contributor Author

Ossf is open source security foundation. The workflow is here to create a report that will help maintainers reduce security risk on their project with advices. See the badge I added in the description.
@ArthurSens
Copy link
Member

I was taking a look at the report provided by the badge, I'm not sure I understood why we got 0 with Token-Permissions.

I don't guarantee that all permissions were configured following the least-privilege principle, but I'm pretty sure most of them are needed. Do we need to configure exceptions somewhere?
@ArthurSens
Copy link
Member

This PR is also making changes to Dockerfile, which doesn't seem related to the OSSF scorecard, could we split it into a separate PR? It could make the merge process faster, at least for the Dockerfile changes
@mmorel-35
Copy link
Contributor Author

mmorel-35 commented Jan 24, 2024
edited
Loading

It is related as ossf ask for dependencies to use pinned version for docker as for github-actions.
Please have a look here https://securityscorecards.dev/viewer/?uri=github.com/prometheus/client_golang

I’m fine seing this in a following pr
@ArthurSens
Copy link
Member

ArthurSens commented Jan 25, 2024
edited
Loading

It is related as ossf ask for dependencies to use pinned version for docker as for github-actions. Please have a look here https://securityscorecards.dev/viewer/?uri=github.com/prometheus/client_golang

I’m fine seing this in a following pr

Yeah, I imagine that would be the reason :P I just meant that the changes for the Dockerfile we could merge without problems already, so opening a separate PR would unblock this

For the OSSF scorecard, I'm still struggling to understand why we got a 0 score for github actions that need those permissions to run. I couldn't find ways to add exceptions for those checks 🤔
@mmorel-35 mmorel-35 force-pushed the ossf branch 3 times, most recently from 8f690be to 4de8a80 Compare November 8, 2024 23:32
@kakkoyun kakkoyun added this to the v1.21.0 milestone Nov 11, 2024
@kakkoyun
Copy link
Member

For the OSSF scorecard, I'm still struggling to understand why we got a 0 score for github actions that need those permissions to run. I couldn't find ways to add exceptions for those checks 🤔

@mmorel-35 Are there any quick wins that we could fix before putting this to the README?
@mmorel-35
Copy link
Contributor Author

Maybe change permissions on the workflows?
@mmorel-35
setup OSSF Scorecard workflow
7cc0aef 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
@kakkoyun kakkoyun merged commit f53c5ca into prometheus:main Nov 25, 2024
10 checks passed
@mmorel-35 mmorel-35 deleted the ossf branch November 25, 2024 12:03
@mmorel-35
Copy link
Contributor Author

mmorel-35 commented Nov 25, 2024
edited
Loading

@kakkoyun ,
can you trigger an update on github actions dependencies (https://github.com/prometheus/client_golang/network/updates) ?

When I updated them on my fork things got better : mmorel-35#58
amberpixels pushed a commit to amberpixels/prometheus_client_golang that referenced this pull request Nov 29, 2024
@mmorel-35 @amberpixels
setup OSSF Scorecard workflow (prometheus#1432)
71e9aa5 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com> Signed-off-by: Eugene <eugene@amberpixels.io>
This was referenced Feb 19, 2025
Merged
Merged
@dghubble-renovate dghubble-renovate bot mentioned this pull request Feb 19, 2025
Merged
1 task
@mr-borboto mr-borboto bot mentioned this pull request Feb 19, 2025
Merged
1 task
@pull-bunyan pull-bunyan bot mentioned this pull request Feb 19, 2025
Closed
1 task
@red-hat-konflux red-hat-konflux bot mentioned this pull request Aug 20, 2025
Closed
1 task
This was referenced Aug 24, 2025
Merged
Merged
@wall-e1-bot wall-e1-bot bot mentioned this pull request Aug 26, 2025
Merged
1 task
This was referenced Aug 29, 2025
Merged
Merged
Merged
Closed
Open
Open
Open
@renovate renovate bot mentioned this pull request Sep 7, 2025
Open
1 task
@red-hat-konflux red-hat-konflux bot mentioned this pull request Sep 7, 2025
Closed
1 task
@renovate renovate bot mentioned this pull request Sep 7, 2025
Merged
1 task
@NetcrackerCLPLCI NetcrackerCLPLCI mentioned this pull request Sep 9, 2025
Closed
1 task
This was referenced Sep 18, 2025
Merged
Open
Closed
@red-hat-konflux red-hat-konflux bot mentioned this pull request Sep 21, 2025
Closed
1 task
@renovate renovate bot mentioned this pull request Sep 22, 2025
Open
1 task
@konflux-internal-p02 konflux-internal-p02 bot mentioned this pull request Sep 25, 2025
Open
1 task
@renovate renovate bot mentioned this pull request Sep 25, 2025
Merged
1 task
This was referenced Sep 26, 2025
Open
Open
Closed
Closed
Closed
Closed
Closed
@renovate renovate bot mentioned this pull request Oct 8, 2025
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@mmorel-35 @ArthurSens @kakkoyun