New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve security practices #787

Open

6 tasks

sripwoud opened this issue May 20, 2024 · 1 comment

Contributor

sripwoud commented May 20, 2024 •

edited

Loading

See https://discord.com/channels/943612659163602974/1006997078259552346/1237782683229356173 (PSE internal discord).

Here are the scorecard results of the semaphore repo: 4.3/10 (scorecard.txt)

I don't think the goal is to get a 10/10.
But there are probably some quick wins we can implement like:

Improve branch protection rules
Add a dependency update/scan tool bot
I like using socket-security on some of my repos
Pin some dependencies by hash
Add a security policy file
Restrict GH workflow tokens permissions
Address existing vulnerabilities

See links in report for more explanation and mitigations

The text was updated successfully, but these errors were encountered:

Member

cedoor commented May 21, 2024

Thank you very much for pointing this out @sripwoud! Super important 🙏🏽

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment