-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump OSSF score above 9.0 ⬆️ #694
Comments
@rvema - pinned dependencies is one of them. Do you want to take this task on? |
For sure, let me take a look and work on it |
@JamieSlome I would like to try working on this issue for hactoberfest. Should we send one PR per item being addressed. Like I saw here (https://scorecard.dev/viewer/?uri=github.com/finos/git-proxy) there is a vulnerability that can be fixed by upgrading the page |
@coderhs - sure, thank you for volunteering 👍 Are we able to do in a single PR? |
Perhaps we can do per action item as reported. Referring to the list here: https://scorecard.dev/viewer/?uri=github.com/finos/git-proxy I am not sure if we can go above 9, but with each PR we should be getting closer. |
@JamieSlome I have to step back from this, i thought it would be a small thing to do but it seems some of the concerns are with express.js itself that I don't think me without more experience in the project should be upgrading them. Kindly unassing this from me so someone else can pick it up. I could send a PR for the body-parser that i upgraded if needed. |
@JamieSlome Please assign it to me. I will take this up. |
@laukik-target - all yours ❤️ |
@JamieSlome Can you please review the above PR? I would be pushing more PRs to cross-score 9.0. Targeting High Priority items from the OSSF Scorecard first. |
@JamieSlome Can you please review the above PR? I have made changes to branch protection by using the classic token which gave a significant increase in OSSF Score. As you can see, I have improved the score for branch protection in OSSF Scorecard. |
@rvema contributed the OSSF Scorecard to the repository in #676. If possible, it would be great to drive the score about 9.0 to ensure we excel at meeting OSSF's security standards👍
Tasks
The text was updated successfully, but these errors were encountered: