Skip to content

security: OpenSSF Scorecard hardening — Stage 1 + Pinned-Dependencies (proposal)#13

Open
cliffcolvin wants to merge 4 commits into
opencost:mainfrom
cliffcolvin:stage1/openssf-scorecard-hardening
Open

security: OpenSSF Scorecard hardening — Stage 1 + Pinned-Dependencies (proposal)#13
cliffcolvin wants to merge 4 commits into
opencost:mainfrom
cliffcolvin:stage1/openssf-scorecard-hardening

Conversation

@cliffcolvin

@cliffcolvin cliffcolvin commented Jul 9, 2026

Copy link
Copy Markdown
Member

Proposal: OpenSSF Scorecard hardening

Opening this as a proposal for discussion. It targets the cheapest, highest-value Scorecard findings — all additive and low-risk. Config/policy wins (Stage 1) plus Actions SHA-pinning (Stage 2a).

Stage 1 — file/config wins

1. Dependency-Update-Tool (0 → 10) — add .github/dependabot.yml covering the gomod and github-actions ecosystems on a weekly cadence. Best effort-to-points trade in the plan, and it doubles as the maintenance engine that keeps pinned action SHAs current (see Stage 2a). Styled to match the OpenCost org's own dependabot config.

2. Security-Policy (0 → 10) — add a root SECURITY.md. It provides a private vulnerability reporting contact, a supported-versions statement, and an explicit disclosure policy. Structure is adapted from the OpenCost org policy, trimmed to what applies to bingen (no container image signing here).

3. Token-Permissions (0 → 10)update-go-version.yaml set top-level contents: write, which is why this check scored 0 while every other workflow is already read-scoped. This sets the top level to contents: read and moves contents: write + pull-requests: write down to the single job that commits the bump and opens the PR.

Stage 2a — Pinned-Dependencies (3 → ~10)

Pin every unpinned uses: reference to a full-length commit SHA, keeping the human-readable version tag in a trailing comment. Go module deps already count as pinned, so this is purely the Actions.

Actions pinned in this PR: actions/checkout, actions/setup-go, actions/cache, actions/upload-artifact, actions/download-artifact, github/codeql-action/{init,autobuild,analyze,upload-sarif}, golangci/golangci-lint-action, peter-evans/create-pull-request. (ossf/scorecard-action, SonarSource/sonarqube-scan-action, and aquasecurity/trivy-action were already SHA-pinned.)

Files touched: build-test.yaml, codecs-check.yaml, codeql.yaml, format-check.yaml, golangci-lint.yaml, scorecard.yml, sonar.yaml, update-go-version.yaml, vulnerability-scan.yaml. The Dependabot github-actions config from Stage 1 keeps these SHAs from going stale.

Note: private vulnerability reporting must be enabled in the repo Settings → Security for the SECURITY.md reporting link to resolve.

🤖 Generated with Claude Code

Copilot AI review requested due to automatic review settings July 9, 2026 18:20

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR proposes Stage 1 OpenSSF Scorecard hardening by adding baseline security hygiene artifacts (Dependabot + SECURITY.md) and tightening GitHub Actions default token permissions to least-privilege.

Changes:

  • Add .github/dependabot.yml for weekly updates of github-actions and gomod dependencies.
  • Add a repository SECURITY.md describing supported versions, reporting flow, and disclosure process.
  • Reduce default workflow token permissions in update-go-version.yaml, scoping write permissions to the job.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
SECURITY.md Adds a security policy with reporting and disclosure guidance.
.github/workflows/update-go-version.yaml Lowers default token permissions and scopes write permissions to the update job.
.github/dependabot.yml Configures weekly Dependabot updates for Actions and Go modules.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/dependabot.yml Outdated
Comment on lines +7 to +9
labels:
- "dependencies"
- "github-actions"
Comment thread .github/dependabot.yml Outdated
Comment on lines +15 to +17
labels:
- "dependencies"
- "go"
Copilot AI review requested due to automatic review settings July 9, 2026 18:23

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

Comment thread SECURITY.md Outdated
Copilot AI review requested due to automatic review settings July 9, 2026 18:28
cliffcolvin and others added 2 commits July 9, 2026 13:29
Address three low-risk, additive Scorecard findings:

- Dependency-Update-Tool: add .github/dependabot.yml covering the
  github-actions and gomod ecosystems (weekly). Also keeps pinned
  action SHAs current for later hardening stages.
- Security-Policy: add SECURITY.md with a private vulnerability
  reporting contact, disclosure policy, and supported-versions info.
- Token-Permissions: update-go-version.yaml declared top-level
  contents: write. Scope it to read at the top level and move
  contents/pull-requests: write down to the job that commits and
  opens the PR.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Cliff Colvin <clifford.colvin@ibm.com>
Match the OpenCost org's dependabot style (commented sections, no
custom labels). Single gomod directory since bingen is a single
module, plus the github-actions ecosystem.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Cliff Colvin <clifford.colvin@ibm.com>
@cliffcolvin cliffcolvin force-pushed the stage1/openssf-scorecard-hardening branch from f261a82 to b25dbc3 Compare July 9, 2026 18:29
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Cliff Colvin <clifford.colvin@ibm.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

Copilot AI review requested due to automatic review settings July 9, 2026 18:30
Scorecard Pinned-Dependencies (Stage 2a). Pin every unpinned `uses:`
reference to a full-length commit SHA, keeping the human-readable
version tag in a trailing comment. Covers build-test, codecs-check,
codeql, format-check, golangci-lint, scorecard, sonar,
update-go-version, and vulnerability-scan.

The Dependabot github-actions config added in this branch keeps these
SHAs current so pinning does not rot.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Cliff Colvin <clifford.colvin@ibm.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated no new comments.

Copilot AI review requested due to automatic review settings July 9, 2026 18:33
@cliffcolvin cliffcolvin changed the title security: OpenSSF Scorecard Stage 1 hardening (proposal) security: OpenSSF Scorecard hardening — Stage 1 + Pinned-Dependencies (proposal) Jul 9, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

Comment thread SECURITY.md

## Code Security

Application code is version controlled using GitHub. All code changes are tracked with full revision history and are attributable to a specific individual. Code must be reviewed and accepted by a different engineer than the author of the change.
Comment thread SECURITY.md

Please include a thorough description of the issue, the steps you took to reproduce it, affected versions, and, if known, any mitigations. The maintainers will help diagnose the severity of the issue and determine how to address it. We aim to acknowledge new reports within 3 business days. Issues deemed to be non-critical will be filed as GitHub issues. Critical issues will receive immediate attention and be fixed as quickly as possible.

## Disclosure policy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants