Skip to content

Maintenance: Improve security posture by addressing OpenSSF results #1799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2 tasks done
sthulb opened this issue Nov 23, 2023 · 6 comments · Fixed by #1797, #1800, #1801, #1827 or #1978
Closed
2 tasks done

Maintenance: Improve security posture by addressing OpenSSF results #1799

sthulb opened this issue Nov 23, 2023 · 6 comments · Fixed by #1797, #1800, #1801, #1827 or #1978
Assignees
@sthulb @am29d @dreamorosi
Labels
completed This item is complete and has been merged/shipped internal PRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.)

Comments

@sthulb
Copy link
Contributor

sthulb commented Nov 23, 2023

Summary

We recently added OpenSSF Scorecard to the repository, on the initial scan, it found a few actionable items.

Why is this needed?

OpenSSF Scorecard scanner found minor issues with the project that we should improve on.

Which area does this relate to?

Governance

Solution

No response

Acknowledgment

Future readers

Please react with 👍 and your use case to help us understand customer demand.
@sthulb sthulb added triage This item has not been triaged by a maintainer, please wait internal PRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.) labels Nov 23, 2023
@sthulb sthulb mentioned this issue Nov 23, 2023
Merged
9 tasks
@github-actions github-actions bot added the pending-release This item has been merged and will be released soon label Nov 23, 2023
@sthulb sthulb mentioned this issue Nov 23, 2023
Merged
9 tasks
@dreamorosi dreamorosi added completed This item is complete and has been merged/shipped and removed triage This item has not been triaged by a maintainer, please wait pending-release This item has been merged and will be released soon labels Nov 24, 2023
This was linked to pull requests Nov 24, 2023
chore(ci): Add OSSF Scorecard Workflow #1797
Merged
chore(ci): Fix pinned dependencies #1800
Merged
@dreamorosi dreamorosi moved this from Shipped to Working on it in Powertools for AWS Lambda (TypeScript) Nov 24, 2023
@dreamorosi dreamorosi mentioned this issue Nov 24, 2023
Merged
9 tasks
@dreamorosi dreamorosi added confirmed The scope is clear, ready for implementation and removed completed This item is complete and has been merged/shipped labels Nov 24, 2023
@dreamorosi dreamorosi mentioned this issue Nov 24, 2023
Merged
9 tasks
@github-actions github-actions bot added pending-release This item has been merged and will be released soon and removed confirmed The scope is clear, ready for implementation labels Nov 24, 2023
@dreamorosi dreamorosi linked a pull request Nov 29, 2023 that will close this issue
chore(ci): sets base permissions on all workflows #1801
Merged
9 tasks
@dreamorosi dreamorosi mentioned this issue Nov 29, 2023
Closed
9 tasks
@dreamorosi dreamorosi added confirmed The scope is clear, ready for implementation and removed pending-release This item has been merged and will be released soon labels Nov 29, 2023
@dreamorosi
Copy link
Contributor

The "on new PR" workflow is failing due to it attempting to obtain more elevated permissions than the caller workflow - see an example here.

Would appreciate if you could take a look.

cc @am29d.

@dreamorosi dreamorosi mentioned this issue Dec 20, 2023
Merged
9 tasks
@dreamorosi dreamorosi linked a pull request Dec 20, 2023 that will close this issue
chore(maintenance): add --require-hashes flag to pip installs #1827
Merged
9 tasks
@am29d am29d mentioned this issue Dec 21, 2023
Merged
9 tasks
@dreamorosi
Copy link
Contributor

The "On PR merge" workflow is also failing due to permission issues: https://github.com/aws-powertools/powertools-lambda-typescript/actions/runs/7292228413/job/19872848955

@dreamorosi dreamorosi mentioned this issue Jan 16, 2024
Closed
2 tasks
@dreamorosi dreamorosi added confirmed The scope is clear, ready for implementation and removed pending-release This item has been merged and will be released soon labels Jan 30, 2024
@dreamorosi dreamorosi mentioned this issue Jan 31, 2024
Merged
9 tasks
@github-actions github-actions bot added pending-release This item has been merged and will be released soon and removed confirmed The scope is clear, ready for implementation labels Jan 31, 2024
@dreamorosi dreamorosi mentioned this issue Feb 1, 2024
Merged
9 tasks
@dreamorosi dreamorosi added confirmed The scope is clear, ready for implementation and removed pending-release This item has been merged and will be released soon labels Feb 1, 2024
@dreamorosi dreamorosi linked a pull request Feb 1, 2024 that will close this issue
chore(ci): fix docs workflow permissions #2000
Merged
9 tasks
@github-actions github-actions bot added pending-release This item has been merged and will be released soon and removed confirmed The scope is clear, ready for implementation labels Feb 1, 2024
@am29d am29d mentioned this issue Feb 2, 2024
Merged
9 tasks
@dreamorosi dreamorosi mentioned this issue Feb 7, 2024
Merged
15 tasks
@dreamorosi
Copy link
Contributor

dreamorosi commented Feb 9, 2024
edited
Loading

With the release workflow merged we have completed most of the work needed for the OpenSSF scorecard.

After discussing internally, these are the pending items for the next iteration, after which we can close the topic:

@dreamorosi dreamorosi added confirmed The scope is clear, ready for implementation and removed pending-release This item has been merged and will be released soon labels Feb 9, 2024
@am29d am29d mentioned this issue Feb 9, 2024
Merged
9 tasks
@github-actions github-actions bot added pending-release This item has been merged and will be released soon and removed confirmed The scope is clear, ready for implementation labels Feb 9, 2024
@dreamorosi dreamorosi added confirmed The scope is clear, ready for implementation and removed pending-release This item has been merged and will be released soon labels Feb 9, 2024
@dreamorosi
Copy link
Contributor

With #2072 being merged we can now consider concluded the work needed to improve the security posture of the project.

Our current baseline score is 9.3: OpenSSF Scorecard

@github-project-automation github-project-automation bot moved this from Working on it to Coming soon in Powertools for AWS Lambda (TypeScript) Feb 15, 2024
@github-actions GitHub Actions
Copy link
Contributor

⚠️ COMMENT VISIBILITY WARNING ⚠️

This issue is now closed. Please be mindful that future comments are hard for our team to see.

If you need more assistance, please either tag a team member or open a new issue that references this one.

If you wish to keep having a conversation with other community members under this issue feel free to do so.

@dreamorosi dreamorosi added completed This item is complete and has been merged/shipped and removed confirmed The scope is clear, ready for implementation labels Feb 15, 2024
@dreamorosi dreamorosi moved this from Coming soon to Shipped in Powertools for AWS Lambda (TypeScript) Feb 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sthulb sthulb

@am29d am29d

@dreamorosi dreamorosi

Labels
completed This item is complete and has been merged/shipped internal PRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.)
Projects
Powertools for AWS Lambda (TypeScript)
Status: Shipped
Milestone
No milestone
3 participants
@sthulb @am29d @dreamorosi