From 6d0465fa21686070973b179810c685f8ba45fd24 Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Tue, 2 Jul 2024 17:47:35 -0400 Subject: [PATCH 1/2] docs: Correct instances of "Security Scorecards" to "OpenSSF Scorecard" Includes minor fixes to surrounding documentation. Signed-off-by: Stephen Augustus --- README.md | 8 ++++---- pkg/policies/binary/binary.go | 6 +++--- pkg/policies/scorecard/scorecard.go | 21 +++++++++++---------- pkg/policies/workflow/workflow.go | 8 +++----- 4 files changed, 21 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 15c97fee..40f969cc 100644 --- a/README.md +++ b/README.md @@ -321,8 +321,8 @@ here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/workflow#OrgConfig This policy checks the GitHub Actions workflow configuration files (`.github/workflows`), for any patterns that match known dangerous -behavior. See the [Security Scorecards -Documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) +behavior. See the [OpenSSF Scorecard +documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) for more information on this check. ### Generic Scorecard Check @@ -333,8 +333,8 @@ here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/scorecard#OrgConfi This policy runs any scorecard check listed in the `checks` configuration. All checks run must have a score equal or above the `threshold` setting. Please see -the [Security Scorecards -Documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md) +the [OpenSSF Scorecard +documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md) for more information on each check. ### GitHub Actions diff --git a/pkg/policies/binary/binary.go b/pkg/policies/binary/binary.go index 780dd426..6aa5c517 100644 --- a/pkg/policies/binary/binary.go +++ b/pkg/policies/binary/binary.go @@ -159,7 +159,7 @@ func (b Binary) Check(ctx context.Context, c *github.Client, owner, notify = fmt.Sprintf(`Project is out of compliance with Binary Artifacts policy: %v **Rule Description** -Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the [Security Scorecards Documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts) for Binary Artifacts. +Binary artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information, see the [OpenSSF Scorecard documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts) on binary artifacts. **Remediation Steps** To remediate, remove the generated executable artifacts from the repository. @@ -169,13 +169,13 @@ To remediate, remove the generated executable artifacts from the repository. if len(logs) > 10 { notify += fmt.Sprintf( "**First 10 Artifacts Found**\n\n%v"+ - "- Run a Scorecards scan to see full list.\n\n", + "- Run a Scorecard scan to see full list.\n\n", listJoin(logs[:10])) } else { notify += fmt.Sprintf("**Artifacts Found**\n\n%v\n", listJoin(logs)) } notify += `**Additional Information** -This policy is drawn from [Security Scorecards](https://github.com/ossf/scorecard/), which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.` +This policy uses [OpenSSF Scorecard](https://github.com/ossf/scorecard/). You may wish to run a Scorecard scan directly on this repository for more details.` } return &policydef.Result{ diff --git a/pkg/policies/scorecard/scorecard.go b/pkg/policies/scorecard/scorecard.go index 161daba4..5398a8d8 100644 --- a/pkg/policies/scorecard/scorecard.go +++ b/pkg/policies/scorecard/scorecard.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -// Package scorecard implements the generic Security Scorecards policy +// Package scorecard implements the generic OpenSSF Scorecard policy package scorecard import ( @@ -31,7 +31,7 @@ import ( ) const configFile = "scorecard.yaml" -const polName = "Security Scorecards" +const polName = "OpenSSF Scorecard" // OrgConfig is the org-level config definition for this policy. type OrgConfig struct { @@ -42,11 +42,12 @@ type OrgConfig struct { // Action defines which action to take, default log, other: issue... Action string `json:"action"` - // Checks is a list of check names to run from Security Scorecards. These - // must match the name that the check uses in it's call to - // "registerCheck". See the check code for each name: - // https://github.com/ossf/scorecard/tree/main/checks For example, the name - // for the Signed Releases check is "Signed-Releases". + // Checks is a list of check names to run from OpenSSF Scorecard. These + // must match the name that the check uses in its call to "registerCheck". + // For example, the name for the Signed Releases check is "Signed-Releases". + // + // See the checks code for each name: + // https://github.com/ossf/scorecard/tree/main/checks Checks []string `json:"checks"` // Threshold is the score threshold that checks must meet to pass the @@ -196,10 +197,10 @@ func (b Scorecard) Check(ctx context.Context, c *github.Client, owner, if res.Score < mc.Threshold && res.Score != checker.InconclusiveResultScore { pass = false if notify == "" { - notify = `Project is out of compliance with Security Scorecards policy + notify = `Project is out of compliance with OpenSSF Scorecard policy. **Rule Description** -This is a generic passthrough policy that runs the configured checks from Security Scorecards. Please see the [Security Scorecards Documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md) for more information on each check. +This is a generic passthrough policy that runs the configured checks from OpenSSF Scorecard. Please see the [OpenSSF Scorecard documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md) for more information on each check. The score was %v, and the passing threshold is %v. ` notify = fmt.Sprintf(notify, res.Score, mc.Threshold) @@ -207,7 +208,7 @@ The score was %v, and the passing threshold is %v. if len(logs) > 10 { notify += fmt.Sprintf( "**First 10 Results from policy: %v : %v**\n\n%v"+ - "- Run a Scorecards scan to see full list.\n\n", + "- Run a Scorecard scan to see full list.\n\n", res.Name, res.Reason, listJoin(logs[:10])) } else { notify += fmt.Sprintf("**Results from policy: %v : %v**\n\n%v\n", diff --git a/pkg/policies/workflow/workflow.go b/pkg/policies/workflow/workflow.go index 1149abd2..ae8daf83 100644 --- a/pkg/policies/workflow/workflow.go +++ b/pkg/policies/workflow/workflow.go @@ -142,24 +142,22 @@ func (b Workflow) Check(ctx context.Context, c *github.Client, owner, notify = fmt.Sprintf(`Project is out of compliance with Dangerous Workflow policy: %v **Rule Description** -Dangerous Workflows are GitHub Action workflows that exhibit dangerous patterns that could render them vulnerable to attack. A vulnerable workflow is susceptible to leaking repository secrets, or allowing an attacker write access using the GITHUB_TOKEN. For more information about the particular patterns that are detected see the [Security Scorecards Documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) for Dangerous Workflow. +Dangerous workflows are GitHub Action workflows that exhibit dangerous patterns that could render them vulnerable to attack. A vulnerable workflow is susceptible to leaking repository secrets, or allowing an attacker write access using the GITHUB_TOKEN. For more information about the particular patterns that are detected, see the [OpenSSF Scorecard documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) on dangerous workflows. **Remediation Steps** Avoid the dangerous workflow patterns. See this [post](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) for information on avoiding untrusted code checkouts. See this [document](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections) for information on avoiding and mitigating the risk of script injections. - - `, res.Reason) if len(logs) > 10 { notify += fmt.Sprintf( "**First 10 Dangerous Patterns Found**\n\n%v"+ - "- Run a Scorecards scan to see full list.\n\n", + "- Run a Scorecard scan to see full list.\n\n", listJoin(logs[:10])) } else { notify += fmt.Sprintf("**Dangerous Patterns Found**\n\n%v\n", listJoin(logs)) } notify += `**Additional Information** -This policy is drawn from [Security Scorecards](https://github.com/ossf/scorecard/), which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.` +This policy uses [OpenSSF Scorecard](https://github.com/ossf/scorecard/). You may wish to run a Scorecard scan directly on this repository for more details.` } return &policydef.Result{ From 51aff1064dcb6a6a28143cd2903d81a45de22d34 Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Tue, 2 Jul 2024 17:51:12 -0400 Subject: [PATCH 2/2] README: Correct Scorecard API URL Signed-off-by: Stephen Augustus --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 40f969cc..ea2ccf77 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/allstar/badge)](https://api.securityscorecards.dev/projects/github.com/ossf/allstar) +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/ossf/allstar/badge)](https://api.scorecard.dev/projects/github.com/ossf/allstar)