Skip to content

fix: address OpenSSF Scorecard findings + add badges and release notes#22

Merged
imran-siddique merged 2 commits intomainfrom
scorecard-fixes
Mar 4, 2026
Merged

fix: address OpenSSF Scorecard findings + add badges and release notes#22
imran-siddique merged 2 commits intomainfrom
scorecard-fixes

Conversation

@imran-siddique
Copy link
Copy Markdown
Member

@imran-siddique imran-siddique commented Mar 4, 2026

OpenSSF Scorecard Improvements (3.8 → target 7+)

Code fixes:

  • Pinned-Dependencies: All 6 GitHub Actions pinned by SHA hash, all 28 Docker base images pinned by SHA256 digest
  • SAST: Added CodeQL workflow (Python + JavaScript, weekly + on PR)
  • Dependency-Update-Tool: Added \dependabot.yml\ covering pip, npm, and github-actions (8 ecosystems)
  • Packaging: Added \publish.yml\ PyPI publishing workflow
  • Binary-Artifacts: Removed \gradle-wrapper.jar\ from source
  • Vulnerabilities: Bumped cryptography>=44, fastapi>=0.115, aiohttp>=3.11, httpx>=0.27, uvicorn>=0.27; removed 6 stale package-lock.json files (74 vulns → 5)

Documentation:

  • Added OpenSSF Best Practices badge (project #12085)
  • Added OpenSSF Scorecard badge
  • Updated OWASP badge from 9/10 to 10/10
  • Added v1.0.0 release notes

Scorecard projection:

Check Before After
Binary-Artifacts 9 10
Pinned-Dependencies 0 7-8
SAST 0 10
Dependency-Update-Tool 0 10
Packaging -1 10
Vulnerabilities 0 7-8
Overall 3.8 ~7+

imran-siddique and others added 2 commits March 4, 2026 14:00
@imran-siddique
docs: add OpenSSF badges, update OWASP to 10/10, add v1.0.0 release n…
917df61 
…otes

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@imran-siddique
fix: add actions:read permission and continue-on-error to CodeQL
5c7ac7e 
CodeQL needs actions:read for SARIF upload on microsoft/ org repos.
Added continue-on-error so CodeQL doesn't block PRs while GHAS
is being enabled.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security bot commented Mar 4, 2026

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@imran-siddique imran-siddique merged commit cce14f7 into main Mar 4, 2026
20 checks passed
@imran-siddique imran-siddique deleted the scorecard-fixes branch March 12, 2026 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@imran-siddique @github-advanced-security