Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve ITK's OpenSSF scores #5084

Open
11 tasks
jhlegarreta opened this issue Dec 17, 2024 · 0 comments
Open
11 tasks

Improve ITK's OpenSSF scores #5084

jhlegarreta opened this issue Dec 17, 2024 · 0 comments
Labels
type:Infrastructure Infrastructure/ecosystem related changes, such as CMake or buildbots

Comments

@jhlegarreta
Copy link
Member

jhlegarreta commented Dec 17, 2024
edited
Loading

Description

As of Dec 16, 2024 ITK's OpenSSF scores are the following:

Holistic security practices

Category Group Metric Score
#f8ed62 1 CI-Tests 10
#ffa500 1 Fuzzing 0
#ffa500 1 SAST 0
#f8ed62 2 CII-Best-Practices 0
#ff0000 2 Dependency-Update-Tool 0
#f8ed62 2 License 10
#ff0000 2 Maintained 10
#ffa500 2 Security-Policy 0
#ff0000 3 Vulnerabilities 10

Holistic security practices

Category Metric Score
#ff0000 Binary-Artifacts 10
#ff0000 Branch-Protection 8
#ff0000 Code-Review 10
#f8ed62 Contributors 10
#cc1100 Dangerous-Workflow -1

Build risk assessment

Category Metric Score
#ffa500 Packaging -1
#ffa500 Pinned-Dependencies 0
#ff0000 Signed-Releases 0
#ff0000 Token-Permissions -1
Metric Score
Total Score 5.3

So the following aspects need improvement:

  • Fuzzing
  • SAST
  • CII-Best-Practices
  • Dependency-Update-Tool
  • Security-Policy
  • Branch-Protection
  • Dangerous-Workflow
  • Packaging
  • Pinned-Dependencies
  • Signed-Releases
  • Token-Permissions

Check current scores at https://scorecard.dev/viewer/

Impact analysis

Scoring high on each of the above aspects would improve the security of the ITK code and/or the infrastructure it uses and provide some safety guarantee to consumers.

Expected behavior

ITK scrores high in OpenSSF scores.

Actual behavior

ITK scrores in OpenSSF have room for improvement.

Versions

master

Environment

N/A

Additional Information

Related to PR #5078.

More information: https://github.com/ossf/scorecard

Some items may not apply to ITK, and thus may need to be bypassed in the evaluation, and some others are maybe not being processed correctly (e.g. signed releases).
@jhlegarreta jhlegarreta added the type:Infrastructure Infrastructure/ecosystem related changes, such as CMake or buildbots label Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:Infrastructure Infrastructure/ecosystem related changes, such as CMake or buildbots
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jhlegarreta