Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve security practices #787

Open
6 tasks
sripwoud opened this issue May 20, 2024 · 2 comments
Open
6 tasks

Improve security practices #787

sripwoud opened this issue May 20, 2024 · 2 comments

Comments

@sripwoud
Copy link
Contributor

sripwoud commented May 20, 2024

See https://discord.com/channels/943612659163602974/1006997078259552346/1237782683229356173 (PSE internal discord).

Here are the scorecard results of the semaphore repo: 4.3/10 (scorecard.txt)

I don't think the goal is to get a 10/10.
But there are probably some quick wins we can implement like:

  • Improve branch protection rules
  • Add a dependency update/scan tool bot
    I like using socket-security on some of my repos
  • Pin some dependencies by hash
  • Add a security policy file
  • Restrict GH workflow tokens permissions
  • Address existing vulnerabilities

See links in report for more explanation and mitigations

@cedoor
Copy link
Member

cedoor commented May 21, 2024

Thank you very much for pointing this out @sripwoud! Super important 🙏🏽

@cedoor
Copy link
Member

cedoor commented Oct 3, 2024

@sripwoud We should give priority to this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: ♻️ Grooming
Development

No branches or pull requests

2 participants