Bring CLOMonitor Score to 100%

[hernanpl]

This repo is signed up as part of the KubeCon Security Slam. I'm bringing to your attention the checklist from the official CLOMonitor page for K8GB -- it refreshes every hour, so it should be up-to-date.

CLOMonitor report

Summary

Repository: k8gb
URL: https://github.com/k8gb-io/k8gb
Checks sets: COMMUNITY + CODE
Score: 84

Checks passed per category

Category	Score
Documentation	93%
License	100%
Best Practices	85%
Security	75%
Legal	0%

Checks

Documentation [93%]

• Adopters (docs)
• Changelog (docs)
• Code of conduct (docs)
• Contributing (docs)
• Governance (docs)
• Maintainers (docs)
• Readme (docs)
• Roadmap (docs)
• Website (docs)

License [100%]

• Apache-2.0 (docs)
• Approved license (docs)
• License scanning (docs)

Best Practices [85%]

• Analytics (docs)
• Artifact Hub badge (docs)
• Contributor License Agreement (docs) EXEMPT
• Community meeting (docs)
• Developer Certificate of Origin (docs)
• Github discussions (docs) EXEMPT
• OpenSSF badge (docs)
• Recent release (docs)
• Slack precense (docs)

Security [75%]

• Binary artifacts (docs)
• Code review (docs)
• Dangerous workflow (docs)
• Dependency update tool (docs)
• Maintained (docs)
• Software bill of materials (SBOM) (docs)
• Security policy (docs)
• Signed releases (docs)
• Token permissions (docs)

Legal [0%]

• Trademark disclaimer (docs)

For more information about the checks sets available and how each of the checks work, please see the CLOMonitor's documentation.

[ytsarev]

Hi @hernanpl, thanks a lot for creating this issue for us.

As a part of Security Slam, we heavily attacked the Security section of CLO monitor today.

• We implemented first signed release with SBOM https://github.com/k8gb-io/k8gb/releases/tag/v0.10.0
• Fully addressed token permissions and the rest of the stepsecurity recommendations in [StepSecurity] ci: Harden GitHub Actions #990

Concerns:

• Apparently Signed releases check expects the last 5 releases to be signed, but we just implemented associated mechanisms so we have only 1 latest signed release. The pipelines are configured to automatically sign all future releases but we will not be generating 4 more releases before the Security Slam deadline. Is there a chance to give us a full score here given the context?

* Token permissions are fully implemented but the associated check is still red ( meanwhile CLOMonitor claims that it was updated 20 minutes ago way after the associated fix)

It seems that something is wrong with the check as all recommendations are already in the main branch

Could you please help with addressing concerns? I believe we made good progress today and it deserves some more monitor scores :)

[eddie-knight]

We #966 first signed release with SBOM

This is perfect for the security slam, where the metric is just CLOMonitor's score > 1 👍 For a OpenSSF badge, the score will be tallied more comprehensively, but IMHO that's out of scope at the moment

[eddie-knight]

It seems that something is wrong with the check as all recommendations are already in the main branch

So there are two things happening here.

The first one is that actions: write is currently an instant failure anywhere in a workflow. So we'll either need to remove that, or raise this as a suggested change in ossf/scorecard#2338

Secondly... I noticed that a few files don't have any permissions applied. These are also instant failures for the check.

• .github/workflows/terrascan.yaml
• .github/workflows/terratest-more-clusters.yaml
• .github/workflows/terratest.yaml
• .github/workflows/upgrade-testing.yaml
• .github/workflows/kube-linter.yaml
• .github/workflows/helm_publish.yaml
• .github/workflows/gh-pages.yaml
• .github/workflows/fossa.yml

edit: I also just noticed that release.yml has a top-level content: write, so we'll need to clean that as well.

[ytsarev]

@eddie-knight thanks a lot for the catch, I had an illusion that the secure-workflows tooling automatically fixed all issues for me :)

Created additional #1002

[ytsarev]

Just to not here for future reference.

The way to locally get detailed token permissions feedback

scorecard --repo k8gb-io/k8gb --checks Token-Permissions --show-details

[ytsarev]

Good progress with overall local result:

clomonitor-linter --path ~/upstream/k8gb --url https://github.com/k8gb-io/k8gb

CLOMonitor linter results

Repository information

╭────────────┬─────────────────────────────────╮
│ Local path ┆ /Users/xnull/upstream/k8gb      │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Remote url ┆ https://github.com/k8gb-io/k8gb │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Check sets ┆ [Code, Community]               │
╰────────────┴─────────────────────────────────╯

Score summary

╭────────────────┬───────╮
│     Section    ┆ Score │
╞════════════════╪═══════╡
│ Global         ┆   98  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌┤
│ Documentation  ┆  100  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌┤
│ License        ┆  100  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌┤
│ Best practices ┆  100  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌┤
│ Security       ┆   90  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌┤
│ Legal          ┆  100  │
╰────────────────┴───────╯

Checks summary

╭──────────────────────────────────────┬────────────╮
│                 Check                ┆   Passed   │
╞══════════════════════════════════════╪════════════╡
│ Documentation / Adopters             ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Changelog            ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Code of conduct      ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Contributing         ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Governance           ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Maintainers          ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Readme               ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Roadmap              ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Documentation / Website              ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ License                              ┆ Apache-2.0 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ License / Approved                   ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ License / Scanning                   ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / Analytics           ┆     GA4    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / Artifact Hub badge  ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / CLA                 ┆   Exempt   │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / Community meeting   ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / DCO                 ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / GitHub discussions  ┆   Exempt   │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / OpenSSF (CII) badge ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / Recent release      ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Best practices / Slack presence      ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Binary artifacts          ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Code review               ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Dangerous workflow        ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Dependency update tool    ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Maintained                ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / SBOM                      ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Security policy           ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Signed release            ┆      ✓     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Security / Token permissions         ┆      ✗     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Legal / Trademark disclaimer         ┆      ✓     │
╰──────────────────────────────────────┴────────────╯

✓ Succeeded with a global score of 98

[ytsarev]

@eddie-knight #1002 was merged, I also reported ossf/scorecard#2338 (comment)

Is there anything more we can do? Really keen to score 100 :)

[eddie-knight]

@ytsarev I pinged the OpenSSF Scorecard channel discussing the release, need to get that cut before it can be propogated out to CLOMonitor

[ytsarev]

Thanks a lot @eddie-knight !

Just to be sure that we are good with the evaluation, I've built the scorecard from the main branch and it looks good!

./scorecard --repo k8gb-io/k8gb --checks Token-Permissions --show-details
Starting [Token-Permissions]
Finished [Token-Permissions]

RESULTS
-------
Aggregate score: 10.0 / 10

Thank you so much for the associated PR ossf/scorecard#2367

[ytsarev]

We are all green at https://clomonitor.io/projects/cncf/k8gb !

Closing this one :)