Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Repository security settings can be strengthened. #800

Open
amaranthjinn opened this issue Nov 7, 2024 · 0 comments
Open

Repository security settings can be strengthened. #800

amaranthjinn opened this issue Nov 7, 2024 · 0 comments

Comments

@amaranthjinn
Copy link

Our team wants to use tower for an ongoing project, however, we are concerned about the risk of bad changes making into the repository, introducing vulnerabilities into our project given how prevalent software supply chain attacks have become.

We used the tool https://github.com/ossf/scorecard?tab=readme-ov-file#using-scorecard to help us assess the risk of using tonic. It suggested that some areas seem to be weak against bad behaviors:

branch protection - Warn: codeowners review is not required on branch 'master' See https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection for more details.

token permission - Warn: no topLevel permission defined: .github/workflows/CI.yml:1 Warn: no topLevel permission defined: .github/workflows/publish.yml:1 Warn: no topLevel permission defined: .github/workflows/release.yml:1. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions for more details.

Those seem to be concerns that can be addressed fairly quickly, and can help increase the trust of the package so much. Really appreciate it if the settings can be strengthened soon.

Steps To Reproduce
See https://github.com/ossf/scorecard/tree/main?tab=readme-ov-file#scorecard-command-line-interface for instruction on running the tool.

Run security scan against the tower repo:
scorecard --repo=https://github.com/tower-rs/tower --checks=Dangerous-Workflow,Maintained,Vulnerabilities,Binary-Artifacts,Branch-Protection,Code-Review,Token-Permissions,Signed-Releases,Dependency-Update-Tool --show-details

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant