Improve OpenSSF Scorecard Metrics for umijs/qiankun

[Jiannan-dev]

---

I'm reaching out because I am very grateful for your work in qiankun. As open-source security is a growing concern, I'd like to suggest some improvements based on the OpenSSF Scorecard best practices:

---

Current Score: 2.8

Repository Link: github.com/umijs/qiankun

Latest Commit: eeebd3f76aa3a9d026b4f3a4e86682088e6295c1

Scorecard Report Generation Time: 2025-03-31

Scorecard Version: v5.1.1-30-g29760499

OpenSSF Scorecard Report: View Report

---

📝 Current Scorecard Overview

The current OpenSSF Scorecard for umijs/qiankun shows multiple critical areas that need immediate improvement to enhance the project's security and maintainability.

Check Item	Score	Risk Level	Reason
Dangerous-Workflow	0	Critical	Detected a dangerous workflow pattern in .github/workflows/issue-checker.yml.
Maintained	0	High	No commits and issue activities were found in the last 90 days.
Token-Permissions	0	High	Token permissions are too high in GitHub workflows.
Binary-Artifacts	0	High	No binary files were found in the repository.
Code-Review	0	High	0/30 changes were reviewed.
Vulnerabilities	0	High	Detected unfixed known vulnerabilities.
SAST	4	Medium	Static application security testing is partially integrated.
Security-Policy	0	Medium	No security policy file was detected.
Signed-Releases	0	High	Released artifacts are not encrypted and signed.
Packaging	0	Medium	The project is not published on any package manager.
Pinned-Dependencies	0	Medium	Dependencies are not pinned by hash, increasing the risk of supply chain attacks.

---

🚩 Areas for Improvement

1. Ensure workflow configuration security

   • Dangerous-Workflow: Clear all insecure patterns from workflow files.
   • Token-Permissions: Restrict GitHub token permissions to the minimum required for workflows.

2. Enhance project maintenance

   • Maintained: Increase commit frequency and issue resolution activities to show the project's active status.

3. Manage binary artifacts

   • Binary-Artifacts: Remove unnecessary binary files from the repository or ensure they are securely managed and documented.

4. Strengthen code review process

   • Code-Review: Implement a stricter code review protocol to achieve a higher review pass rate.

5. Handle vulnerabilities

   • Vulnerabilities: Implement a vulnerability management process to identify and fix security issues in a timely manner.

6. Integrate SAST tools

   • SAST: Fully integrate static application security testing tools (such as CodeQL, SonarQube) into the CI/CD pipeline for automated security checks.

7. Develop and publish a security policy

   • Security-Policy: Create and publish a SECURITY.md file detailing how to report vulnerabilities and the project's security practices.

8. Implement signed releases

   • Signed-Releases: Enable encrypted signing of all released artifacts to verify their integrity and authenticity.

9. Publish to package managers

   • Packaging: Configure the project to be published on relevant package managers (such as npm) to improve distribution and dependency management efficiency.

10. Pin dependencies by hash

    • Pinned-Dependencies: Use tools like Dependabot to pin dependencies by hash, reducing supply chain risk.

---

🛠️ Recommended Actions

1. Review and revise workflow files

   • Review all .github/workflows/*.yml files following security best practices.
   • Remove any steps or actions that introduce security vulnerabilities.
   • Restrict token permissions to the minimum required for workflows.

2. Increase contribution activity

   • Encourage more commits and issue resolutions to demonstrate the project's maintenance activity.
   • Assign maintainers to oversee project health and community engagement.

3. Integrate and configure SAST tools

   • Choose suitable SAST tools and integrate them into the CI pipeline.
   • Regularly review and address issues found in SAST reports.

4. Develop and publish a security policy

   • Draft a comprehensive SECURITY.md file explaining the vulnerability reporting process and security practices.
   • Ensure the policy file is easily accessible in the repository.

5. Enable release signing

   • Set up GPG keys and automate signing of release artifacts.
   • Document the signing process for contributors.

6. Publish to package managers

   • Configure the project to be published on npm or other relevant package managers.
   • Maintain version control and documentation for published packages.

7. Securely pin dependencies

   • Implement Dependabot or similar tools to automatically update and pin dependencies by hash.
   • Regularly audit dependencies for known vulnerabilities.

8. Properly manage binary artifacts

   • Remove unnecessary binary files from the repository.
   • If binary files are necessary, document their source and ensure secure storage.

9. Enhance code review practices

   • Establish code review guidelines to ensure thorough review of contributions.
   • Set and monitor targets for review pass rates.

10. Vulnerability management

    • Create a process for identifying, reporting, and fixing vulnerabilities.
    • Use automated tools to regularly scan for vulnerabilities.

---

📈 Expected Outcomes

• Improved security posture: Enhanced security measures will protect the project from potential threats and vulnerabilities.
• Active maintenance: Increased activity will demonstrate the project's vitality, attracting more contributors and users.
• Trust and reliability: Signed releases and pinned dependencies will establish community trust in the project's integrity.
• Better dependency management: Publishing packages and securely managing dependencies will simplify distribution and maintenance.

---

📎 Attachments

• OpenSSF Scorecard Report

---