Implementing OSSF Scorecard

Some time ago, we implemented the monitoring and review of the [OSSF scorecard](https://securityscorecards.dev/) in the Node.js org, and it significantly contributed to the improvement of many repositories. I believe adopting a similar approach for Express would be highly beneficial. We've developed tools, such as the [OpenSSF Scorecard Monitor](https://github.com/marketplace/actions/openssf-scorecard-monitor) and [OpenSSF Scorecard Visualizer](https://github.com/KoolTheba/openssf-scorecard-api-visualizer), along with processes that make handling the evolution of scoring straightforward. Despite initial appearances, the process is quite simple.

**Context**
> The goal of Scorecards is to auto-generate a “security score” for open source projects to help users as they decide the trust, risk, and security posture for their use case. This data can also be used to augment any decision making in an automated fashion when new open source dependencies are introduced inside projects or at organizations. For example, organizations may decide that any new dependency with low scores has to go through additional evaluation. These checks could help mitigate malicious dependencies from getting deployed to production systems like we’ve seen recently with [malicious NPM packages](https://portswigger.net/daily-swig/open-source-security-malicious-npm-packages-broadcast-sensitive-user-data-online). 
> source: [openssf Blog](https://openssf.org/blog/2020/11/06/security-scorecards-for-open-source-projects/)

**Resources**

- [OpenSSF Scorecard](https://securityscorecards.dev/)
- [You should use the OpenSSF Scorecard](https://blog.ulisesgascon.com/openssf-scorecard-in-nodejs)
- [OpenSSF Scorecard API](https://api.securityscorecards.dev/#/results)
- [Security Scorecards for Open Source Projects](https://openssf.org/blog/2020/11/06/security-scorecards-for-open-source-projects/)

**Next Steps:**

- [x]  Define when/how to review the scoring as a team. For example, in Node.js, we conduct this review in every Security WG Meeting. [Watch example (minute 04:00 to 10:00)](https://www.youtube.com/live/ZKKyUVbPY24?si=Nx-orOq3A_hEI9gA&t=237) and [the dashboard](https://github.com/nodejs/security-wg/blob/main/tools/ossf_scorecard/report.md)
- [x]  Add the Scorecard pipelines to the projects. [View example](https://github.com/ada-url/ada/pull/235/files)
- [x]  Improve the scoring by patching the bugs. [See example](https://github.com/ada-url/ada/pull/438)

I'm enthusiastic about leading these changes in the repos. While we may not be familiar with the OSSF Scorecard, we already have scores for most of our projects. [Here is a simple dashboard that I auto-generated](https://github.com/UlisesGascon/openssf-scorecard-monitor-demo/blob/main/experimental_expressjs/report.md). The OSSF team is already tracking our projects using a CRON job, but we can easily enrich them and make some simple patches to increase the scoring.

Most of these changes won't require significant alterations and can be performed in isolated PRs, making them easy to review. If we're in agreement, I can start with the Express project to showcase the process. 👍


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implementing OSSF Scorecard #2

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Implementing OSSF Scorecard #2

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions