Score OpenSSF

[AClerbois]

Hello Boys,

I've just run the tool OpenSSF on my machine.

My objectif was to evaluate the product and share the result with you.

More information about OpenSSF on the Microsoft DevBlogs article

This is the final result :

RESULTS

Aggregate score: 6.9 / 10

Check scores :

SCORE	NAME	REASON	DETAILS	DOCUMENTATION/REMEDIATION
10 / 10	Binary-Artifacts	no binaries found in the repo		Binary Artifacts Check
8 / 10	Branch-Protection	branch protection is not maximal on development and all release branches	Info: 'allow deletion' disabled on branch 'dev'; Info: 'force pushes' disabled on branch 'dev'; Info: required approving review count is 1 on branch 'dev'	Branch Protection Check
10 / 10	CI-Tests	16 out of 16 merged PRs checked by a CI test -- score normalized to 10		CI Tests Check
0 / 10	CII-Best-Practices	no effort to earn an OpenSSF best practices badge detected		CII Best Practices Check
5 / 10	Code-Review	Found 15/30 approved changesets -- score normalized to 5		Code Review Check
10 / 10	Contributors	project has 28 contributing companies or organizations		Contributors Check
10 / 10	Dangerous-Workflow	no dangerous workflow patterns detected		Dangerous Workflow Check
10 / 10	Dependency-Update-Tool	update tool detected	Info: detected update tool: Dependabot	Dependency Update Tool Check
0 / 10	Fuzzing	project is not fuzzed	Warn: no fuzzer integrations found	Fuzzing Check
10 / 10	License	license file detected	Info: project has a license file: LICENSE:0 Info: FSF or OSI recognized license: MIT License	License Check
10 / 10	Maintained	30 commit(s) and 28 issue activity found in the last 90 days -- score normalized to 10		Maintained Check
?	Packaging	packaging workflow not detected	Warn: no GitHub/GitLab publishing workflow detected	Packaging Check
0 / 10	Pinned-Dependencies	dependency not pinned by hash	Warn: GitHub-owned GitHubAction not pinned by hash	Pinned Dependencies Check
7 / 10	SAST	SAST tool detected but not run on all commits	Info: SAST configuration detected: CodeQL Warn: 0 commits out of 16 are checked with a SAST tool	SAST Check
10 / 10	Security-Policy	security policy file detected	Info: security policy file detected: SECURITY.md:1	Security Policy Check
?	Signed-Releases	no releases found		Signed Releases Check
0 / 10	Token-Permissions	detected GitHub workflow tokens with excessive permissions	Warn: jobLevel 'checks' permission set to 'write'	Token Permissions Check
8 / 10	Vulnerabilities	2 existing vulnerabilities detected	Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275, GHSA-952p-6rrq-rcjv	Vulnerabilities Check

In my point of view, this result is really interesting to be displayed, we can plan to integrate the badge and try to improve the score with best Open Source practises proposed : https://scorecard.dev/#run-the-checks

Br,

Adrien C.

[vnbaaij]

Interesting indeed... but yet another thing we would need to maintain.

Not sure if we have bandwidth for that. Might be that some are low hanging fruit.