Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve ITK's OpenSSF scores #5084

Open
1 of 11 tasks
jhlegarreta opened this issue Dec 17, 2024 · 1 comment
Open
1 of 11 tasks

Improve ITK's OpenSSF scores #5084

jhlegarreta opened this issue Dec 17, 2024 · 1 comment
Assignees
Labels
type:Infrastructure Infrastructure/ecosystem related changes, such as CMake or buildbots

Comments

@jhlegarreta
Copy link
Member

jhlegarreta commented Dec 17, 2024

Description

As of Dec 16, 2024 ITK's OpenSSF scores are the following:

Holistic security practices

Category Group Metric Score
#f8ed62 1 CI-Tests 10
#ffa500 1 Fuzzing 0
#ffa500 1 SAST 0
#f8ed62 2 CII-Best-Practices 0
#ff0000 2 Dependency-Update-Tool 0
#f8ed62 2 License 10
#ff0000 2 Maintained 10
#ffa500 2 Security-Policy 0
#ff0000 3 Vulnerabilities 10

Holistic security practices

Category Metric Score
#ff0000 Binary-Artifacts 10
#ff0000 Branch-Protection 8
#ff0000 Code-Review 10
#f8ed62 Contributors 10
#cc1100 Dangerous-Workflow -1

Build risk assessment

Category Metric Score
#ffa500 Packaging -1
#ffa500 Pinned-Dependencies 0
#ff0000 Signed-Releases 0
#ff0000 Token-Permissions -1
Metric Score
Total Score 5.3

So the following aspects need improvement:

  • Fuzzing
  • SAST
  • CII-Best-Practices
  • Dependency-Update-Tool
  • Security-Policy
  • Branch-Protection
  • Dangerous-Workflow
  • Packaging
  • Pinned-Dependencies
  • Signed-Releases
  • Token-Permissions

Check current scores at https://scorecard.dev/viewer/

Impact analysis

Scoring high on each of the above aspects would improve the security of the ITK code and/or the infrastructure it uses and provide some safety guarantee to consumers.

Expected behavior

ITK scrores high in OpenSSF scores.

Actual behavior

ITK scrores in OpenSSF have room for improvement.

Versions

master

Environment

N/A

Additional Information

Related to PR #5078.

More information: https://github.com/ossf/scorecard

Some items may not apply to ITK, and thus may need to be bypassed in the evaluation, and some others are maybe not being processed correctly (e.g. signed releases).

@jhlegarreta jhlegarreta added the type:Infrastructure Infrastructure/ecosystem related changes, such as CMake or buildbots label Dec 17, 2024
@thewtex
Copy link
Member

thewtex commented Jan 20, 2025

We started signing releases in v5.4.0, documented in #5142

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type:Infrastructure Infrastructure/ecosystem related changes, such as CMake or buildbots
Projects
None yet
Development

No branches or pull requests

4 participants