Security Enhancement: Scorecard GitHub Action

Hello!

First of all, forgive me if I'm not raising this topic in the right place or category, first time contributing here :grimacing:

My name is Diogo and I'm part of the Google Open Source Security Team (GOSST), which joins effort with OpenSSF to enhance Open Source Security. I'm here to suggest the adoption of Scorecard Github Action on Rust repository, and I'd be happy to raise a PR implementing it for you, but I preferred to first come here and check your interest on it =)

I'm reaching out because Rust is becoming a huge and very influent project, so enhancing or certifying its security is important for the whole Open Source community, and I think Scorecard could help to achieve this goal. This tool works with a set of security checks that would be automatically run over your repository and point, on your security tab, possible vulnerabilities or ways to enhance the security of your project.

If this specific tool does not make sense to you, I also make myself available to help with any other security concern that seems relevant to you.

Thanks for the attention!

Could you run a demo on a fork, so we can see what it looks like on rust?

Going through the checks at OpenSSF Scorecard

tl;dr: Some don't make sense in the context of a compiler that is not meant to be exposed to adversarial inputs. Most are already done. Some could still be done.

  • Vulnerabilities: If there is a security vulnerability, it is announced on the rust blog as well as the rustlang-security-announcements google groups mailing list. We don't have any known unfixed security vulnerabilities at the moment.
  • Dependency Update Tool: Not done AFAIK. Doesn't add much for rustc as compiling malicious code can likely cause arbitrary code execution anyway. LLVM is explicitly not considered safe on untrusted inputs. Some other projects under the rust-lang organization do use a dependency update tool though.
  • Maintained: Yes
  • Security Policy: Available at Security policy - Rust Programming Language
  • Licence: Work is being done on automatically checking everything using REUSE.
  • CII Best Practices: Seems to be mostly met.
  • CI Tests: Rust follows the "no rocket science" rule. This means that CI is always green for the master branch.
  • Fuzzing: Not much point in fuzzing a compiler other than to find crashes. We do smoke testing before every release though using crater. Crater is a tool which rustc on all publicly available rust code to find regressions.
  • SAST: None of the listed static analysis tools support rust. Rustc itself does a lot of checks. We deny all lint warnings on CI.
  • Binary Artifacts: No, rustc is a bootstrapped compiler, which means it needs an earlier release to build. mrustc is a C++ compiler capable of building rustc 1.54 though. In addition since a while we have been pinning the exact bootstrap artifacts.
  • Branch Protection: Yes, only the bors bot can push to master. And bors enforces that CI passed.
  • ? Dangerous Workflow: No clue.
  • Code Review: Yes, with the exception of subtree syncs and submodule updates. The expectation is that those have already been reviewed in the respective repos.
  • Contributors: Definitively!
  • Pinned Dependencies: Yes. We check in Cargo.lock.
  • ? Token Permissions: I believe some steps need write permission.
  • Packaging: Mostly. Builds happen on CI, but signing and publishing as official releases happens on a separate machine I believe.
  • Signed Releases: Stable releases are signed. Beta and nightly aren't I believe.
1 Like

By the way I'm not sure how an automated tool would be able to tell the answer to most of the bullet points.

So, on the reply that I've deleted I said that I could show you a demo on a fork, but actually that's not completely possible, because only the maintainer of the repo (in this case of the fork) could see the results on the security tab.

However, I've created the fork and added the scorecards, and I'll share some prints of the results on the security tab:

Notice that some of the checks on the fork are not applicable to the original repo, such as "Maintained" or "Security Policy".

Here is what is shown when opening one of the issues, for example:

Issue #69 "Code-Review" and #71 "Maintained" are not correct. Does it view the absence of CODEOWNERS as an issue? We don't use it. Everyone reviewer is allowed to change any file as PR's often change multiple parts of the code base, while still being reviewable just fine by someone who is only on a single team. For example a change to a compiler intrinsic would affect both rustc and the standard library, but would only be reviewed by someone on the compiler team as the library team is not concerned with the interface between the standard library and the compiler.

The token permissions flagged are intentional as it does actually need write access. We use read-only tokens by default and explicitly override it where necessary:

You are right, #69 and #71 are incorrect, but it's because those prints were taking from the analysis of my fork (GitHub - diogoteles08/rust: Empowering everyone to build reliable and efficient software.). I sent this prints more for a view on how it's displayed on your security tab

Makes sense. Going through the list of results:

  • Security policy: False positive due to running on a fork. The real repo has an org wide security policy registered with github. => can ignore
  • SAST: No CodeQL support for Rust. => not actionable
  • Maintained: False positive due to running on a fork. => can ignore
  • Fuzzing: Not security critical.
  • Code Review: False positive due to running on a fork. => can ignore
  • CII best practices: We follow at least the majority.
  • Dependency update tool: already reasoned about this earlier.
  • Branch protection: False positive due to running on a fork. => can ignore
  • Token permissions: Not actionable. Maybe scorecard check should ignore explicit elevated token permissions when the default is set to read-only?
  • Pinned dependencies: All unpinned dependencies are either specific versions of ubuntu as container. Github owned actions, rust-lang owned actions or a couple of npm installations. For the containes and actions I don't think pinning adds much given that all come from a trusted source. For the npm installations, I guess a lockfile would make sense.

It's great that most of the scorecard checks are already matched by Rust! And I also appreciate your time following through the checks.

I'm indeed not familiar of how security policies are specifically managed on a compiler, so you're really in a better place to tell if Scorecard is useful or not for your repo.

However, Scorecard can also be useful as a tool to help to keep the repo secure, and it's receiving improvements quickly. As an exemple, one of the big improvements to come would integrate Scorecard to the OSV-Scanner, and scan the dependencies of the project for known vulnerabilities.

Wait, if you want to check the actionable reports of Scorecard, looking at the prints of my local fork is not ideal. I've run the Scorecards CLI in my local, evaluating the actual rust-lang/rust repository. Those were the results:

Starting [Code-Review]
Starting [CI-Tests]
Starting [Dependency-Update-Tool]
Starting [SAST]
Starting [Contributors]
Starting [Pinned-Dependencies]
Starting [Dangerous-Workflow]
Starting [License]
Starting [Maintained]
Starting [Branch-Protection]
Starting [Fuzzing]
Starting [CII-Best-Practices]
Starting [Vulnerabilities]
Starting [Token-Permissions]
Starting [Security-Policy]
Starting [Binary-Artifacts]
Starting [Signed-Releases]
Starting [Packaging]
Finished [Dangerous-Workflow]
Finished [Contributors]
Finished [Pinned-Dependencies]
Finished [Branch-Protection]
Finished [Fuzzing]
Finished [CII-Best-Practices]
Finished [License]
Finished [Maintained]
Finished [Security-Policy]
Finished [Binary-Artifacts]
Finished [Signed-Releases]
Finished [Packaging]
Finished [Vulnerabilities]
Finished [Token-Permissions]
Finished [Dependency-Update-Tool]
Finished [SAST]
Finished [Code-Review]
Finished [CI-Tests]

RESULTS
-------
Aggregate score: 7.4 / 10

Check scores:
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                                                                                                                                                                                                                                                                                                                                                                                                                                     DETAILS                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#binary-artifacts       |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10  | Branch-Protection      | branch protection is not       | Info: 'force pushes' disabled                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all | on branch 'master' Info:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                       |
|         |                        | release branches               | 'allow deletion' disabled                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                                                                       |
|         |                        |                                | on branch 'master' Warn: no                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                                                                                                       |
|         |                        |                                | status checks found to merge                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                                                                       |
|         |                        |                                | onto branch 'master' Warn:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                                       |
|         |                        |                                | number of required reviewers                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                                                                       |
|         |                        |                                | is only 0 on branch 'master'                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                                                                       |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests               | 30 out of 30 merged PRs        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                       |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | CII-Best-Practices     | no badge detected              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#cii-best-practices     |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 8 / 10  | Code-Review            | GitHub code reviews found for  | Warn: no reviews found for commit:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#code-review            |
|         |                        | 26 commits out of the last 30  | 4ff5a3655f1e7bed94d847f6888a2c0659aba276                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                       |
|         |                        | -- score normalized to 8       | Warn: no reviews found for commit:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                                                                                                                       |
|         |                        |                                | 3c53781800e50b2abc72c5b1542400eff48a8126                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                       |
|         |                        |                                | Warn: no reviews found for commit:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                                                                                                                       |
|         |                        |                                | 2b05f841155c06b61fceb390c3cc3c2c974306a0                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                       |
|         |                        |                                | Warn: no reviews found for commit:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                                                                                                                       |
|         |                        |                                | cbdc00f6e61132cbb74397cbb91171756e5d5834                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                       |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | 100 different organizations    | Info: contributors work for 2k36,AeroRust,EmbarkStudios,FLIF-hub,FTP-rs,Farmhouse,FerrisLand,JumpstartLab,LykenSol,LykenSol-abandoned,NixOS,NuxiNL,OsnaCS,Rust-GCC,RustFestEU,Ultramarine-Linux,actix,alumxi22,amazon web                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#contributors           |
|         |                        | found -- score normalized to   | services,arcturo,async-rs,bastion-rs,bytecodealliance,dada-lang,dena,diesel-rs,documenting-ruby,drapergem,eddyb-abandoned,embecosm,feminism-chat,ferrous-systems,freifunk-saar,fusion-engineering,fusion-engineering-forks,georust,google,gtk-rs,hacketyhack,huawei,igalia,image-rs,intellij-rust,intermezzOS,knurling-rs,kubernetes,kubernetes-sigs,kuchiki-rs,lalrpop,lambda-llama,larcenists,llvm,lykensol,maintainers,messloc,nodejs,notify-rs,nrf-rs,nuprl,opencollective,openhwgroup,openvalidation,osgcc,osm-without-borders,oxidecomputer,pingcap,pkgjs,psoc-rs,rails,rayon-rs,recogni,resque,rubinius,rust-analyzer,rust-bus,rust-cli,rust-community,rust-dev-tools,rust-docs,rust-fuzz,rust-lang,rust-lang-deprecated,rust-lang-nursery,rust-osdev,rust-phf,salsa-rs,semver,servo,shoes,sinatra,stm32-rs,stylelint,tigerbeetledb,unicode-org,unicode-rs,w3c,wg21link,whatwg,wlanslovenija,xomboverlord |                                                                                                                       |
|         |                        | 10                             |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                       |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                       |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected           | Info: Dependabot detected                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Fuzzing                | project is fuzzed with         |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#fuzzing                |
|         |                        | [OSSFuzz]                      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                       |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | Info: : COPYRIGHT:1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#license                |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 30 commit(s) out of 30 and 10  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#maintained             |
|         |                        | issue activity out of 30 found |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                       |
|         |                        | in the last 90 days -- score   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                       |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Packaging              | no published package detected  | Warn: no GitHub publishing                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#packaging              |
|         |                        |                                | workflow detected                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |                                                                                                                       |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 5 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | Warn: GitHub-owned GitHubAction not pinned by hash:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   | .github/workflows/ci.yml:592: update your workflow using                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                       |
|         |                        | to 5                           | https://app.stepsecurity.io/secureworkflow/rust-lang/rust/ci.yml/master?enable=pin                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                                                                                                                       |
|         |                        |                                | Warn: third-party GitHubAction not pinned by hash:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                                                                                                                       |
|         |                        |                                | .github/workflows/ci.yml:612: update your workflow using                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/rust-lang/rust/ci.yml/master?enable=pin                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                                                                                                                       |
|         |                        |                                | Warn: GitHub-owned GitHubAction not pinned by hash:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                       |
|         |                        |                                | .github/workflows/ci.yml:695: update your workflow using                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/rust-lang/rust/ci.yml/master?enable=pin                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                                                                                                                       |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | SAST                   | SAST tool is not run on all    | Warn: 0 commits out of 30 are                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#sast                   |
|         |                        | commits -- score normalized to | checked with a SAST tool Warn:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                                                                                                                       |
|         |                        | 0                              | CodeQL tool not detected                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                       |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy        | security policy file detected  | Info: security policy                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#security-policy        |
|         |                        |                                | detected in org repo:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                       |
|         |                        |                                | github.com/rust-lang/.github/SECURITY.md:1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                                       |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Signed-Releases        | no releases found              | Warn: no GitHub releases found                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#signed-releases        |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Token-Permissions      | non read-only tokens detected  | Info: topLevel 'contents' permission set to 'read':                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#token-permissions      |
|         |                        | in GitHub workflows            | .github/workflows/ci.yml:29: update your workflow using                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/rust-lang/rust/ci.yml/master?enable=permissions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                                       |
|         |                        |                                | Warn: jobLevel 'actions' permission set to 'write':                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                       |
|         |                        |                                | .github/workflows/ci.yml:153: update your workflow using                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/rust-lang/rust/ci.yml/master?enable=permissions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                                       |
|         |                        |                                | Warn: jobLevel 'actions' permission set to 'write':                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                       |
|         |                        |                                | .github/workflows/ci.yml:567: update your workflow using                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/rust-lang/rust/ci.yml/master?enable=permissions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                                       |
|         |                        |                                | Warn: jobLevel 'actions' permission set to 'write':                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                       |
|         |                        |                                | .github/workflows/ci.yml:36: update your workflow using                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                                                                                                                       |
|         |                        |                                | https://app.stepsecurity.io/secureworkflow/rust-lang/rust/ci.yml/master?enable=permissions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                                       |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | no vulnerabilities detected    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#vulnerabilities        |
|---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|

I just removed part of the content on the "Pinned-Dependencies" result, because there were several repeated (and not critical) scenarios.

For "Branch-Protection" it seems to get confused by the CI setup we have. Bors merges each PR with the current master branch into the auto branch over at https://github.com/rust-lang-ci/rust/. Then CI runs there and finally it pushes it to the master branch on the main repo. We don't require formal github reviews, but instead a reviewer comments @bors r+ to add it to the bors queue to be tested. This all means that the merge commit never has a reviewer approve it as far as github is concerned and because CI runs in a different repo, no status checks are required either.

Hello Diogo, and thanks for dedicating time to Rust's security!

Quickly skimming at the report, there are some things it highlight that should ideally be addressed, like pinning NodeJS dependencies and removing the actions: write workflow permission[1]. Running tools like Scorecard one-off is useful to highlights these problems.

I'm slightly worried about running these tools continously to get a report and certify our adherence to guidelines though, because that will provide misleading results for users who don't have context on our infrastructure. We're a large old project, with custom ad-hoc procedures the tool doesn't know about (like the organization split between rust-lang and rust-lang-ci, and using a custom review bot rather than GitHub Reviews). Some of the problems it identifies are not in fact problems for us, but that can't be represented into a score.


  1. It's needed by the cancel-outdated-builds GitHub Action we created, but we can remove that action: it was created at a time where GitHub Actions did not support cancelling old builds when a new build in the same branch started, but it's now possible to do that with the concurrency workflow key. So, we could remove the action and the permission, it's just low priority cleanup that got pushed down by other work. ↩ī¸Ž

8 Likes

Hi @pietroalbini, thank you very much for the thoughtful reply =)

I completely understand your point. Scorecard works well with general or default procedures, but it would indeed lead to misleading results on infrastructure like Rust's. I'll make sure to raise this as a feedback to Scorecard team!

Also, I'm glad that some of the highlights could be useful for Rust; I'd be happy to help fixing the issues that you think should be addressed. Let me know the best way I can help =)

1 Like