Context

Announcement

Hello @UlisesGascon

The report include archived repository, I think it should not (what do you think?)

For example documentation-ui is archived in the list here:
https://github.com/NodeSecure/Governance/blob/main/reports/ossf_scorecard/report.md

Maybe we need an option to include or exclude public archive

My scores live at api.securityscorecards.dev (for example: link) and not at https://deps.dev, since that is where I push the data to (as indicated by the OSSF scorecard action).

I'd be happy to help add that config if you want.

We've recently been exploring the use of OpenSSF Scorecard Monitor for our various open source organizations, but hit a roadbump after finding that Scorecard Monitor was only discovering a handful of repositories in our orgs (regardless of which projects were listed in scope.json).

After some investigation, I realized that OpenSSF was automatically tracking a select group of our projects upstream, which is why some projects already scores and others didn't. I'd like to update the README docs to clarify these requirements, and provide some hints in case others experience similar issues.

Main Objective

Let's offer a way to sort the scores:

• by higher scores sort-by="ASC"
• by lower scores sort-by="DESC"

Context

Suggested in OSFF Slack

Technical requirements

It is important to notice that one user can scan several organizations so the sorting without a grouping support can be very confusing. So let's ship this feature with a grouping option like: group-by="ORG"

It will be great to support CAPITAL an LOWER values like ASC or asc

Also this feature must be documented

As discussed in nodejs/security-wg#949, it will great to improve the feedback to the users. Currently we only shows the different in a numerical value like +0.7 or -2.1, but is not clear what has trigger that change.

Full feedback in this video (from 10:30 to 12:40)

TL;DR:

I am very glad to announce that this repository is now part of the OSSF Organization, so the Scorecard Visualizer is now an official tool in the OSSF Scorecard ecosystem. 🎊 🎊

Important Details

As part of the migration process, the repository has been transferred to the OSSF (from UlisesGascon/openssf-scorecard-monitor to ossf/scorecard-monitor). The redirection should be working, so no additional steps are required from your part. Starting from version v2.0.0-beta8, we will use the new URLs (soon to be released).

Let's celebrate this moment together 🤗

This journey started a long time ago, even before the first commit on Feb 2023 when we started to adopt the OSSF Scorecard in the Node.js Organization (nodejs/security-wg#851) in Dec'22, thanks to the GOSST Team (@gabibguti, @joycebrum, @pnacht, @diogoteles08 and others) that helped us understand in detail what this project is about and how it can help our organization be more secure (full video).

As soon as I understood how important this was for the Open Source Community, I tried to spread this idea into the ecosystem, so I started to blog about it and discuss it with the community on social media.

The real challenge came when we needed to adopt it at the scale of Node.js, in the Node.js' security WG (nodejs/security-wg#851 (comment)). We realized that we needed a tool to help us monitor the scoring over time. In the following weeks, we started to iterate over this idea until we had the most basic features of the Monitor, especially thanks to Security WG (@mhdawson, @RafaelGSS, @marco-ippolito, @fraxken and others) for all the patience, feedback, ideas, and contributions to consolidate this tool and make it extensible to the community.

Once we had a clear idea on how to track the scores in our repositories, we realized that it was very hard for us to spot the evolution in terms of scoring differences. So, @KoolTheba joined the efforts by creating the Scorecard Visualizer that allowed us to showcase the scorecard details per project using commit hashes and to compare between two different commits. This was a game-changer for us as it allowed us to quickly spot the differences and act on them on a bi-weekly basis, especially when the diff details were added.

Our next big problem was how to reduce the Time To Remediation (TTR). One day, the Step Security team did an eye-opening demo for the Node.js Security WG (#37). Thanks, @varunsh-coder and @boahc077, for showing us the right way. Since then, there is a fix it link in the report to quickly apply many scorecard recommendations in any GitHub project.

I want to especially thank all the collaborators (@KoolTheba, @justaugustus, @lelia, @rajbos and others...) who helped us on this amazing journey, as well as all the users (@inigomarquinez, carpasse and others) and orgs that were early adopters and provided invaluable feedback and perspectives to the project!

Finally, thanks to the OpenJS Security Collab (@ruddermann, @ctcpip, @ljharb, @mrutkows, @shusak, @joesepi, @rginn, @bensternthal and others) for the endless discussions and invaluable knowledge shared in every session. Also, to the OSSF team for building these amazing tools and sharing them with me in advance (@laurentsimon, @naveensrinivasan and others...), and to the OSSF for helping us in all the donation journey and making all the changes required for us to join (@justaugustus, @afmarcum, @bbpursell1 and others).

📢 You can follow this discussion on Twitter, Linkedin and Mastodoon

I'd like to show the information in the table with a badge similar to what I have done in my org readme here:

Setup is like this:
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/devops-actions/issue-comment-tag/badge)](https://api.securityscorecards.dev/projects/github.com/devops-actions/issue-comment-tag)

I was expecting an issue to be created with my configuration (first test, love the functionality!) here.

If it only does that after the first delta (2 different dates?), then indicate it in the docs.

Overview

As a user, I want to quickly fix the scorecard results with a single click. http://app.stepsecurity.io provides a fantastic tool to auto generate a PR with several improvements, so the idea will be to include a link to it in each project.

Technical Requirements

• Add a link [Fix](http://app.stepsecurity.io/securerepo?repo={ORG}/{REPO}) to both reports.

Context

• Action items from last Security WG Meeting
• See Demo details 📺

As discussed in nodejs/security-wg#949, it will great to allow the repos to we categorized like primary, secondary.. so the output table can be split into several minor tables. That way is easier to focus only in a specific repos when the discovery mode is enabled. That way the user can control easy all the repos in a specific organization and segment the results for the analysis.

@KoolTheba This is very related to #35 but is a different feature

Full feedback in this video (from 16:12 to 17:05)

What if we can tag or assign the issue generated? Full context

Pending:

• Add auto-scoping example as the main example
• Explain tags
• Include policies samples about include vs exclude...
• Move current example to manual scope
• List orgs using the action
• Add reference to NodeSecure (NodeSecure/Governance#23)
• Add reference to All the users/orgs that use the tool
• Update the images
• Add alternative pipeline for storing the database and scope externally
• Include video tutorial

If the user uses report-tags-enabled=true then titles should not be included in the markdown report file:

For reference this are the titles:

# OpenSSF Scorecard Report

## Summary

Side note: This won't affect issues template

Overview

As a user, I want to be able to configure auto-scoping feature as true and include several github organizations as auto-scope-orgs (e.g. ['nodejs', 'OWASP']) in the Github action, so that the Github Action will list all the public repos available for the org, update the allowed scope with repos that were not previously included or in the exclusion list, save the changes in the file, commit the changes, and continue with the regular process.

Technical Requirements

• New input auto-scope to enable/disable auto-scoping feature
• New input auto-scope-orgs in the Github action that allow to include several github organizations, like ['nodejs', 'OWASP']
• Add new properties to the scope file to divide the content in allowed or excluded repositories {allowed: {org: [repo]}, excluded: {org: [repo]}}
• Collect the Org repos and compare against the included / excluded list
• Check if the api has indexed the repo or ignore it

Main logic

• Check that the Github token has been added as input or throw an error
• Generate a list from all the repos (public only) available for the org using the github api and the token
• Update the allowed scope with the repos that were not previously included or present in the exclusion list
• Save the changes in the scope file
• Commit the changes
• Continue with the regular process (ensure that the regular process is using the latest version of the scope ).

Context

• See 📺

Overview

As a user, I want to quickly understand how fresh the reports are. Therefore, I need to be able to see the HASH from the last commit, as well as a link to the repository, so I can easily understand the state of the reports on that particular moment.

Technical Requirements

• Extract additional data from the HTTP Request
• Generate a crafted URL with the hash
• Include this Hash information to the reports (markdown and issue)

Main logic

• Check that the Hash is included in the response
• Pass and store the hash as part of the database information just as the date or score
• Add an additional Column with the title last commit in the reports and include the url as value [{hash}]({hash_link}).

Context

• See 📺

Context

If there are no changes, the process will stop without notifying the changes or the output.

Todo

• Ensure that the current scores are available as output even if there are no changes
• Return and document an additional prop in the output hasChanged: Bool

As a user, I want to consume the output of this action in a different way

Technical Requirements

• Export the Score Analysis (the same used to render the report) as a JSON string (in a single line)

As proposed by @rajbos in #44 (comment), it will be nice to include custom urls with an argument like custom-api-url=https://myalternativeapi.com.

Do we need to map the org and repo to the new url? I mean.. currently we use https://api.securityscorecards.dev/projects/github.com/nodejs/node but this can be replaced by https://myalternativeapi.com/projects/github.com/nodejs/node, but we might need something more flexible than replace the domain like https://myapi.com/v1/security/{org}/reporting/{repo}/scorecard

Testing Strategy:

• Move not critical parts as external libraries with a proper testing (minimal for v2-beta1)
• Let's increase the test coverage from the action itself (minimal for v2)
• Let's cover scenarios in e2e

It will great to allow the usage of tags, to allow the output markdown to be integrated with existing files:

This text should remind the same...

<!-- OPENSSF-SCORECARD-MONITOR:START -->
<!-- OPENSSF-SCORECARD-MONITOR:END -->

This text will be also unaffected

Example of this implementation in gautamkrishnar/blog-post-workflow

From what I can see, the GITHUB_TOKEN is not needed for discovery (it would only have access to the current repo anyway), so we can remove it from this check. I ran into it during debugging (output tested in a ACTIONS_STEP_SUMMARY) and since it is not needed....