You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our team wants to use tonic for an ongoing project, however, we are concerned about the risk of bad changes making into the repository, introducing vulnerabilities into our project given how prevalent software supply chain attacks have become.
Those seem to be concerns that can be addressed fairly quickly, and can help increase the trust of the package so much. Really appreciate it if the settings can be strengthened soon.
Run security scan against the tonic repo:
scorecard --repo=https://github.com/hyperium/tonic --checks=Dangerous-Workflow,Maintained,Vulnerabilities,Binary-Artifacts,Branch-Protection,Code-Review,Token-Permissions,Signed-Releases,Dependency-Update-Tool --show-details
The text was updated successfully, but these errors were encountered:
Bug Report
Repository security settings can be strengthened.
Version
tonic "^0.12.3"
Platform
linux
Description
Our team wants to use tonic for an ongoing project, however, we are concerned about the risk of bad changes making into the repository, introducing vulnerabilities into our project given how prevalent software supply chain attacks have become.
We used the tool https://github.com/ossf/scorecard?tab=readme-ov-file#using-scorecard to help us assess the risk of using tonic. It suggested that some areas seem to be weak against bad behaviors:
branch protection - Warn: branch 'master' does not require approvers Warn: codeowners review is not required on branch 'master'. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection for more details.
token permission - Warn: no topLevel permission defined: .github/workflows/CI.yml:1. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions for more details.
binary artifacts checked-in - Warn: binary detected: interop/bin/client_darwin_amd64:1 Warn: binary detected: interop/bin/client_linux_amd64:1 Warn: binary detected: interop/bin/client_windows_amd64.exe:1 Warn: binary detected: interop/bin/server_darwin_amd64:1 Warn: binary detected: interop/bin/server_linux_amd64:1 Warn: binary detected: interop/bin/server_windows_amd64.exe:1. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts for details.
Those seem to be concerns that can be addressed fairly quickly, and can help increase the trust of the package so much. Really appreciate it if the settings can be strengthened soon.
Steps To Reproduce
See https://github.com/ossf/scorecard/tree/main?tab=readme-ov-file#scorecard-command-line-interface for instruction on running the tool.
Run security scan against the tonic repo:
scorecard --repo=https://github.com/hyperium/tonic --checks=Dangerous-Workflow,Maintained,Vulnerabilities,Binary-Artifacts,Branch-Protection,Code-Review,Token-Permissions,Signed-Releases,Dependency-Update-Tool --show-details
The text was updated successfully, but these errors were encountered: