T
TBD8mo ago
ALR

OSSF Scorecard

Still to be inspected and configured; I've installed the OSSF Scorecard as a GitHub Action into the Dev Site repo. There's now a badge on the README showing the latest report run (triggered on every commit). It generates a report like: https://securityscorecards.dev/viewer/?uri=github.com/TBD54566975/developer.tbd.website
23 Replies
ALR
ALR8mo ago
More about OSSF Scorecards: https://securityscorecards.dev/
undefined
Home
Quickly assess open source projects for risky practices
michaelneale
michaelneale8mo ago
@ALR looks good - I don't see it mention licensed of transitive dependencies though
ALR
ALR8mo ago
Yeah it doesn’t do that This is scoring the repo in question Snyk and Mend do that
michaelneale
michaelneale8mo ago
similar to renovatebot etc - a good project should be wary of bringing in things to adhere to the license policy yeah, exactly also, I may type licence as well as license interchangeable I like that scorecard
ALR
ALR8mo ago
Yeah the scorecard is a nice featureset
michaelneale
michaelneale8mo ago
all this stuff is grown up now
ALR
ALR8mo ago
And I’d use it in combination with something like Snyk or Mend, which do dependency scanning
michaelneale
michaelneale8mo ago
yep
ALR
ALR8mo ago
Really the topic of supply chain security is a comprehensive set of areas to cover, each with a tool chain that solves some dimensions Securing things in the audit trail source to distro and everything inbetween (Followers - I’ve an internal doc outlining all areas to cover, haven’t vetted it yet for sharing publicly as this involves security for our ecosystem)
michaelneale
michaelneale8mo ago
we have been slightly bitten by licenses from time to time, so good to shift as many checks left as we can (which snyk/mend can do)
ALR
ALR8mo ago
Yep And for dependency scanning I have the sense we’ll be choosing one of those anyway Unless dependabot really impresses. Going to talk to the GitHub folks about that too
michaelneale
michaelneale8mo ago
its weird I know the founders of whitesource (mend) and snyk well just co-incidence yeah - it does a lot of what snyk did for the basics/commodity of upgrading
ALR
ALR8mo ago
It’s a small world in OSS
michaelneale
michaelneale8mo ago
it is
ALR
ALR8mo ago
For this too I want a unified Dashboard across projects Else we have to look after dependencies one by one in each repo - and configure those builds to fail in case a vuln is detected Way too adhoc for my taste Want the whole suite of projects secured
michaelneale
michaelneale8mo ago
Mend does a nice dashboard and reports
ALR
ALR8mo ago
Yep Snyk too
michaelneale
michaelneale8mo ago
so does snyk - I still get emails about it yeah
ALR
ALR8mo ago
Dependabot I am not sure what we’d need to build to consolidate
michaelneale
michaelneale8mo ago
I can see ALR running a jenkins in his basement no school like the old school
ALR
ALR8mo ago
You know I used to
ALR
ALR8mo ago
Literally on this
No description
ALR
ALR8mo ago
Did I ever break a JBoss Application Server build? Hell no. Because I ran my own full testsuite before it ever hit main 🤣
Want results from more Discord servers?
Add your server
More Posts
Test Strategy for ExamplesOh awesome! Let's break off a thread here on testing and see how far we get - maybe we don't need a Google Calendar IntegrationGoogle Calendar integration stuff - I got is working E2E with the Google account, kinda. 😛 ``` nodFrontend OSS IconsAny of y'all front-endey folks have an account for getting free / OSS icons? Looking for a shopping Web5 0.8.0 PRHi y'all - I've got a couple of Drs appointments today, and keeping an eye on upgrade things here.Reducing Maintenance Burden** Reducing Maintenance Burden ** I think we all did a great job at pulling various pieces of codePhase 4 Async Retro - BTC Miami and Web5 Tech Preview**Phase 4 - BTC Miami and Web5 Tech Preview Async Retrospective** Hi, all. After last week I've putCommunity Feedback**Feedback on Building Applications with Web5 and developer.tbd.website **Open Source PlaybookStart of thread for The TBD Open Source Playbook 🤘🏻Phase 4 - BTC / MiamiLots to share today, y'all. All in service of driving clarity as early into the Phase as we can, so Quickstart code**Quickstart code** Sup, y'all - pulling together some convos w/ me, @dayhaysoos-tbd and @drousso -