Improve OpenSSF score

[nitrocode]

What problem are you facing?

Adoption in a new organization

How could pre-commit-terraform help solve your problem?

Renovatebot includes an openssf score on every PR update for this repo. Due to low scores, this can irk developers and management.

Please consider improving the OpenSSF score of this repo. Current score is 6.7 which is not and could be better. The higher the score, the more objective integrity the community will have towards the project.

https://github.com/ossf/scorecard

https://securityscorecards.dev/viewer/?uri=github.com/antonbabenko/pre-commit-terraform

Some small improvements

• Add OpenSSF Best Practices Badge
• Use hadolint and shellcheck to pin dependencies
• Token Permissions in .github/workflows/* would improve it a lot
• etc

Some big improvements

• Create official releases and sign them
• etc

[MaxymVlasov]

@nitrocode can you please point me where you find such score in Renovate PRs for pre-commit hooks?

[MaxymVlasov]

We definitely want 9+/10, but firstly I need to understand how to enable such scores for Renovate, as I never disable it in https://github.com/SpotOnInc/renovate-config/blob/main/default.template.json5

[nitrocode]

Hi @MaxymVlasov, this is how I have enabled the scores in some orgs for renovate PRs

https://docs.renovatebot.com/presets-security/#securityopenssf-scorecard

[nitrocode]

Also the results may be better by adopting the GitHub action. This should get the branch protections

https://github.com/ossf/scorecard-action

[MaxymVlasov]

This can be partially mitigated by https://app.stepsecurity.io/securerepo, as it can provision part of stuff automatically

[nitrocode]

StepSecurity is very nice at quickly improving some areas that OpenSSF scorecard detects, so once the StepSecurity PR is merged, the OpenSSF score should also increase.

I think it would still be valuable to integrate the OpenSSF scorecard banner to showcase the score and add the action to help improve the score.

Since opening this, we have seen the score improve from 6.7 to 7.0 😄

[nitrocode]

Oh Thanks Maxym, I just noticed your PRs #777 and #780.

[yermulnik]

Since opening this, we have seen the score improve from 6.7 to 7.0 😄

Should we try and close/re-open this more times to get score improved even further? 🤣

[MaxymVlasov]

Lol, nah. I'll add a badge to README, that will report status every day and on each commit to master, to simplify tracking of it