Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://blog.ulisesgascon.com/openssf-scorecard-in-nodejs below:

You should use the OpenSSF Scorecard

As you may know, the Node.js Ecosystem Security Working Group has defined its priorities for 2023. A key initiative for us will be to assess the organization against the best practices available, such as the OpenSSF Scorecard.

We had a great discussion about the OpenSSF scorecard with the Google Open Source Security Team (GOSST) in the Ecosystem Security Working Group meeting this week.

We began the discussion in this issue, and here you can find the meeting notes:

• Assessment against best practices (OpenSSF Scorecards ...) #859
• Add OSSF Scorecard #851
• Discussion with GOSST about implementing it on Node.js
• The Nodejs currently report is located here, also json version available
• Agreement to update action version tag by hash in GHA, following this example, lead by GOSST
• Agreement to add/document the next steps in this issue in order to provide a good context for the following PRs and TSC Meetings, lead by GOSST

The current score for Node.js is 6.8 out of 10. We will be working to improve this score in the coming months. If you would like to be notified, please subscribe to the Security Working Group repository.

The Scorecard will evaluate the security of your project based on automated checks related to four scenarios.

• Malicious maintainers
• Build System Compromises
• Source Code Compromises
• Malicious packages

In order to accomplish this, the scripts are focused in 5 areas (Code Vulnerabilities, Maintenance, Continuous Testing, Source Risk Assestment, Build Risk Assestment and Holistic Security Practices).

Each area has its own associated risk, so the overall score is the average of the five areas. Here, you can check the details of each by consulting the documentation in detail.

The following are the types of questions this score card provides answers to:

• Does the project contain a security policy?
• Does the project use fuzzing tools?
• Does the project use static code analysis tools?
• Does the project use Branch Protection?
• Does the project have contributors from at least two different organizations?
• Does the project cryptographically sign releases?
• And many more...

If you are wondering if this is a good idea for your project, I think it is a good idea to at least review your packages in the directory.

It took less than 5 minutes to install. It quickly analysed the repo and identified easy ways to make the project more secure. Priya Wadhwa, Kaniko

You have two options:

• Using the GitHub Action
• Using the CLI

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4