Addition of scorecard?

[andy778]

Have there been ideas to adding openssf scorecard to see what things would be good to secure up?

scorecard --repo=https://github.com/jgraph/drawioRESULTS
-------
Aggregate score: 5.1 / 10Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Binary-Artifacts       | binaries present in source     | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#binary-artifacts       |
|         |                        | code                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10  | Branch-Protection      | branch protection is not       | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all |                                                                                                                       |
|         |                        | release branches               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | CI-Tests               | no pull request found          | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#ci-tests               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | CII-Best-Practices     | no effort to earn an OpenSSF   | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#cii-best-practices     |
|         |                        | best practices badge detected  |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Code-Review            | found 30 unreviewed changesets | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#code-review            |
|         |                        | out of 30 -- score normalized  |                                                                                                                       |
|         |                        | to 0                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | 3 different organizations      | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#contributors           |
|         |                        | found -- score normalized to   |                                                                                                                       |
|         |                        | 10                             |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected           | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Fuzzing                | project is not fuzzed          | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#fuzzing                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#license                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 24 commit(s) out of 30 and 8   | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#maintained             |
|         |                        | issue activity out of 30 found |                                                                                                                       |
|         |                        | in the last 90 days -- score   |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Packaging              | no published package detected  | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#packaging              |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   |                                                                                                                       |
|         |                        | to 0                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | SAST                   | SAST tool detected             | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#sast                   |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy        | security policy file detected  | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#security-policy        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Signed-Releases        | 0 out of 5 artifacts are       | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#signed-releases        |
|         |                        | signed or have provenance      |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Token-Permissions      | detected GitHub workflow       | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#token-permissions      |
|         |                        | tokens with excessive          |                                                                                                                       |
|         |                        | permissions                    |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | no vulnerabilities detected    | https://github.com/ossf/scorecard/blob/b6f48b370e61367600eafb257b4ad07feb9578ab/docs/checks.md#vulnerabilities        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

[davidjgraph]

We follow SOC 2 internally, if someone wants to monitor this they can, but SOC 2 is rather more complete and externally audited.

[andy778]

More after if there is a working software supply chain so one can reduce riks like the XZ some weeks ago. E.g Branch-Protection would be nice with higher score

[davidjgraph]

branch protection is pointless, this is a mirror repo.

[andy778]

The intention with the initial question is partly answered with soc 2. Think I am not seeing all software supply chain things like openchain ISO/IEC 5230 so that would be a nice addition, but I have used another standard that SOC 2 so not that read up on this standard. Case closed from my side.