Skip to content

Improve OSSF Scorecard score (2.7 → ~8)#2

Merged
chatch merged 3 commits into
mainfrom
improve-ossf-scorecard
Mar 17, 2026
Merged

Improve OSSF Scorecard score (2.7 → ~8)#2
chatch merged 3 commits into
mainfrom
improve-ossf-scorecard

Conversation

@chatch

@chatch chatch commented Mar 17, 2026

Copy link
Copy Markdown
Member

Summary

  • SECURITY.md — adds vulnerability reporting policy (Security-Policy: 0 → ~8)
  • SHA-pinned Actions — pins all GitHub Actions to commit SHAs in ci.yml and scorecard.yml (Pinned-Dependencies: 0 → ~7)
  • permissions: read-all on ci.yml top-level (Token-Permissions: 0 → ~9)
  • CodeQL workflow (.github/workflows/codeql.yml) — JavaScript/TypeScript SAST analysis on push/PR/weekly (SAST: 0 → ~8)
  • npm publish workflow (.github/workflows/publish.yml) — triggered on GitHub releases (Packaging: -1 → ~8)
  • Vulnerability fixes — vitest updated to 4.1.0 (fixes rollup); pnpm.overrides patches minimatch, ajv, undici, flatted, diff, @isaacs/brace-expansion; 22 vulns → 1 unfixable (lodash in @forge/api)
  • Branch protection — enabled on main via GitHub API (requires PR + 1 review + CI passing)

Estimated score after merge: ~7.5–8.5 / 10

Check Before After
Security-Policy 0 ~8
Token-Permissions 0 ~9
Pinned-Dependencies 0 ~7
SAST 0 ~8
Vulnerabilities 0 ~9 (1 unfixable lodash vuln in @forge/api)
Branch-Protection 0 ~8
Code-Review 0 ~8
Packaging -1 ~8

Remaining manual steps

  • CII Best Practices badge — apply at https://bestpractices.coreinfrastructure.org/
  • npm secret — add NPM_TOKEN secret in repo settings for the publish workflow
  • Dependabot — can add .github/dependabot.yml later for Dependency-Update-Tool score

Test plan

🤖 Generated with Claude Code

chatch and others added 2 commits March 17, 2026 12:02
@chatch
upgrade actions/upload-artifact@v7.0.0
f30b2e2
@chatch @claude
improve OSSF Scorecard score: security policy, pinned deps, SAST, vul…
28217d8 
…n fixes

- Add SECURITY.md with vulnerability reporting policy (Security-Policy: 0→~8)
- Pin all GitHub Actions to SHA hashes in ci.yml, scorecard.yml (Pinned-Dependencies: 0→~7)
- Add permissions: read-all to ci.yml top-level (Token-Permissions: 0→~9)
- Add CodeQL analysis workflow for JavaScript/TypeScript (SAST: 0→~8)
- Add npm publish workflow triggered on GitHub releases (Packaging: -1→~8)
- Update vitest to 4.1.0, fixing rollup <4.59.0 vulnerability
- Add pnpm.overrides to patch transitive vulns in minimatch, ajv, undici,
  flatted, diff, @isaacs/brace-expansion (22 vulns → 1 unfixable lodash)
- Enable branch protection on main via GitHub API (Branch-Protection: 0→~8)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-advanced-security

github-advanced-security AI commented Mar 17, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@chatch chatch merged commit df32e85 into main Mar 17, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chatch @github-advanced-security