Enable OpenSSF Scorecard to enhance security practices across the project

[harshitasao]

Hi, I'm Harshita. I’m working with CNCF and the Google Open Source Security Team for the GSoC 2024 term. We are collaborating to enhance security practices across various CNCF projects. The goal is to improve security for all CNCF projects by both using OpenSSF Scorecards and implementing its security improvements.

The Open Source Security Foundation (OpenSSF) Scorecard is a tool designed to evaluate the security posture of open-source projects. This has the Scorecard GitHub Action, which automates the process by running security checks on the GitHub repository. By integrating this Action into the repository's workflow, developers can continuously monitor the project’s security posture. The Scorecard checks cover various security best practices and provide scores for multiple categories. Some checks include Code Reviews, Branch Protection, Signed Releases, etc.

The workflow runs on every change in the main branch. It publishes the Scorecard checks' results to the project's security dashboard and includes suggestions on how to solve any issues. This Action has already been adopted by 1800+ projects, with prominent users like Tensorflow, Angular, sos.dev, deps.dev, and many CNCF projects.

Once the Scorecard GitHub Action is set up and running, the results can be displayed as a badge in the repository's README file. This badge serves as a quick indicator of the project's security posture, helping users and contributors evaluate the project's security practices quickly.

Why is this needed:

The OpenSSF Scorecard improves open-source project's security by providing automated, transparent assessments of their security practices. It will help you identify vulnerabilities, adhere to best practices, and continuously enhance your security posture, increasing user trust and reducing the risk of security exploits.

I'll be the one to create the PR to add the scorecard GitHub action, and I will also work with you to remediate the identified vulnerabilities. I'll go through each scorecard check to see where the score has dropped and how it can be improved.

Would you be interested in a PR which adds this Action?

/cc @joycebrum @diogoteles08 @pnacht @nate-double-u

[juliusvonkohout]

We have CVE scanning with Trivy on the MASTER branch in kubeflow/manifests. But this might be still interesting, especially for other repositories.

[harshitasao]

Hey @juliusvonkohout. Could you please name the repositories where adding this scorecard action will be most beneficial. Thank you.

[juliusvonkohout]

Cc @kubeflow/kubeflow-steering-committee

[juliusvonkohout]

CC @rimolive @kimwnasptd @thesuperzapper @andreyvelich @johnugeorge

[rimolive]

This is important as part of the CNCF Graduation process, to show the community this is a healthy project in terms of governance, security and Open-Source best practices. I just noticed a CNCF CLO Monitor badge in kubeflow/kubeflow project and there's this topic about OpenSSF scorecards.

I totally support this, but need some more clarification here. @harshitasao Can you help me address these questions?

• Is the OpenSSF scorecard badge required in every kubeflow GitHub repository?
• Does OpenSSF works on the data collected since it is enabled in the repositories?
• What is the integration with the current security scanning tool Julius mentioned?

[agilgur5]

Hey @juliusvonkohout. Could you please name the repositories where adding this scorecard action will be most beneficial. Thank you.

@harshitasao IMO, all of the repos listed in the main Kubeflow README (including KServe). Can also see all non-archived repos sorted by stars (as a very rough correlation to usage) and focus on source code ones (vs docs and examples)

[agilgur5]

I don't work with Harshita -- I just found this issue from the Slack thread -- but I can answer some questions as a CNCF maintainer of Argo Workflows and Scorecard user (also former Kubeflow user and occasional contributor).

• Is the OpenSSF scorecard badge required in every kubeflow GitHub repository?

No. Afaik, CNCF does not even require OpenSSF Scorecard for graduation. It's probably encouraged though and IMO very good to have on almost any repo. CLOMonitor also references a few of the checks (but not all). I'm not an expert on graduation requirements though, so I'd recommend double-checking that for due diligence.
Per above, I'd probably focus on repos with the highest supply chain risk for highest impact first.

• Does OpenSSF works on the data collected since it is enabled in the repositories?

I'm not sure if this is a question for OpenSSF itself? I don't work for them so I can't answer that.
The Scorecard Action reports on this and OpenSSF/Google also runs a weekly cron job on a subset of popular GH repos as well. Improving the numbers will help improve security posture.

• What is the integration with the current security scanning tool Julius mentioned?

Scorecard (attempts to) check that you have certain scanners enabled, such as SAST.
SCA specifically is actually not checked for as Scorecard has its own CVE checks based on OSV.

We have CVE scanning with Trivy on the MASTER branch in kubeflow/manifests.

This is an SCA scan. Scorecard itself is a general purpose security posture scan, so largely orthogonal and complementary. You could also say that SCA is a subset.

EDIT: I removed some of the supply chain specifics here as Scorecard is more generic than supply chain security (see also SLSA and other projects that OpenSSF hosts), but those are some of the primary ones you can focus on from a repo and OSS level.