Add OpenSSF ScoreCard to Coder #14879
Assignees
Labels
docs
Area: coder.com/docs
Comments
|
Thanks for suggesting, we'll definitely look into this cc @matifali |
This was referenced Oct 2, 2024
matifali
added a commit
that referenced
this issue
Oct 7, 2024
Closes #14879 We will keep improving the score. Currently, Coder gets 7.0/10.0.
|
Awesome turn around. Useful to keep track of this and helps with our risk assessment. |
matifali
added a commit
that referenced
this issue
Oct 14, 2024
Use specific commit SHAs for GitHub actions across various workflows to enhance reliability and reproducibility. This change ensures that actions run against a known version, reducing the risk of unexpected issues due to updates in the third-party action repositories. This contributes to improving the score in #14879
matifali
added a commit
that referenced
this issue
Oct 16, 2024
|
We have improved our score to 8.5 now. |
matifali
added a commit
that referenced
this issue
Nov 15, 2024
Enables [build attestation](https://docs.docker.com/build/metadata/attestations/slsa-provenance/) for the docker-base image. Contributes to #14879 and coder/internal#89 As an experiment, we are only doing it with the coder-base image for now.
matifali
added a commit
that referenced
this issue
Feb 14, 2025
This should bump OpenSSF Score added in #14879
matifali
added a commit
that referenced
this issue
Feb 14, 2025
This should bump OpenSSF Score added in #14879
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When working with OpenSource at enterprise companies; governance, compliance and security comes up, adding OpenSSF ScoreCard - https://openssf.org/. Could be a good way to address that, especially when it comes to auditing
example open source repo that does this well and they also have a good docs describing how the processes work:
https://docs.powertools.aws.dev/lambda/python/latest/security/
The text was updated successfully, but these errors were encountered: