Skip to content

fix: address OpenSSF Scorecard findings#91

Merged
don-petry merged 6 commits into
mainfrom
scorecard-fixes
Mar 28, 2026
Merged

fix: address OpenSSF Scorecard findings#91
don-petry merged 6 commits into
mainfrom
scorecard-fixes

Conversation

@don-petry

@don-petry don-petry commented Mar 27, 2026

Copy link
Copy Markdown
Collaborator

Summary

Closes #85, #86, #87, #88, #89, #90

Test plan

  • Verify CI passes on this PR
  • Verify CodeQL analysis runs successfully
  • Verify no workflow permission errors
  • Verify npm audit reports 0 vulnerabilities

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores

    • Standardized workflow permissions to explicit, least-privilege defaults and moved specific grants to job level.
    • Pinned CI action references to fixed commits for reproducible runs.
    • Added a scheduled security scan trigger and minor workflow input naming update for an external integration.
  • Security

    • Added SECURITY.md with vulnerability reporting channels, required report details, and target response timelines.

- Add SECURITY.md (#85)
- Scope workflow token permissions to least privilege (#86)
- Pin all GitHub Action dependencies to commit SHAs (#87)
- Update vulnerable dependencies via npm audit fix (#88)
- Add schedule trigger to CodeQL for full SAST coverage (#89)
- Ensure CI and SAST run on all pushes and PRs (#90)

Closes #85, #86, #87, #88, #89, #90

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 27, 2026 20:45
@coderabbitai

coderabbitai Bot commented Mar 27, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ab7a972c-35b6-4d91-bb13-ba50f146fbed

📥 Commits

Reviewing files that changed from the base of the PR and between 86817ca and 586bcbd.

📒 Files selected for processing (1)
  • .github/workflows/claude.yml

📝 Walkthrough

Walkthrough

Top-level GitHub Actions workflows now declare empty workflow-level permissions (permissions: {}) with job-level permission blocks added/adjusted as needed. Multiple action usages were pinned from floating tags to specific commit SHAs. A new SECURITY.md was added describing vulnerability reporting channels and response timelines.

Changes

Cohort / File(s) Summary
Workflows — CI & Tests
/.github/workflows/ci.yml, /.github/workflows/nodejs-tests.yml, /.github/workflows/playwright-tests.yml, /.github/workflows/coverage.yml
Added top-level permissions: {} and added/adjusted job-level permissions (e.g., contents: read, actions: write). Pinned actions/checkout, actions/setup-node, and actions/cache from major tags to commit SHAs; preserved job steps and commands.
Workflows — Analysis & Scanning
/.github/workflows/codeql-analysis.yml, /.github/workflows/sonarcloud.yml
Added top-level permissions: {} and explicit job-level permission blocks. Pinned actions/checkout and CodeQL-related action refs to commit SHAs. codeql-analysis also gained a schedule trigger (cron: '25 14 * * 1').
Workflows — Dependabot & CLA / Claude
/.github/workflows/dependabot-automerge.yml, /.github/workflows/claude.yml
Converted global workflow permissions to empty and moved/granted granular permissions at job level. Pinned third‑party actions to commit SHAs. In claude.yml, renamed action input anthropic_api_keyclaude_code_oauth_token (same secret).
Security Policy
SECURITY.md
Added a new security policy detailing supported versions, private vulnerability reporting channels (Security tab and email), required report contents, and response timelines (48h ack, 5 business-day assessment, ~30-day resolution target).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name Status Explanation Resolution
Linked Issues check ❓ Inconclusive The PR addresses the primary requirement from issue #85 (add SECURITY.md for security policy), but the linked_issues section only shows #85, while the PR objectives reference #85-#90 and test plan items not explicitly linked. Verify that all referenced issues (#85-#90) are properly linked in the PR. The raw_summary shows changes addressing security policy, permissions, action pinning, and npm vulnerabilities, but only #85 appears in linked_issues.
Out of Scope Changes check ❓ Inconclusive Changes appear partially out of scope: the PR title and objectives reference npm dependency updates (brace-expansion, yaml via npm audit fix), but the raw_summary shows no changes to package.json or package-lock.json files. Clarify whether npm dependency updates were completed. The PR objectives list 'Update vulnerable transitive npm dependencies' but the file summaries show no package file changes.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'fix: address OpenSSF Scorecard findings' directly relates to the main objective of the PR, which addresses multiple OpenSSF Scorecard findings (#85-#90) including security policy, permissions, action pinning, and npm dependencies.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch scorecard-fixes

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository to address OpenSSF Scorecard findings by adding a security policy, tightening GitHub Actions token permissions, pinning GitHub Actions to commit SHAs, updating vulnerable transitive npm deps, and expanding CodeQL coverage.

Changes:

  • Add SECURITY.md security policy and reporting process.
  • Update GitHub Actions workflows to use top-level permissions: read-all, scope job permissions, and pin uses: actions to commit SHAs.
  • Run npm audit fix to update vulnerable transitive dependencies (brace-expansion, yaml) in package-lock.json, and add a scheduled CodeQL run.

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
package-lock.json Updates transitive dependencies to remediate reported vulnerabilities.
SECURITY.md Adds a security policy and private vulnerability reporting instructions.
.github/workflows/sonarcloud.yml Adds top-level read-only permissions and pins actions to SHAs.
.github/workflows/playwright-tests.yml Adds top-level read-only permissions and pins actions to SHAs (but job permissions are too restrictive for cache/artifacts).
.github/workflows/nodejs-tests.yml Adds top-level read-only permissions and pins actions to SHAs (but job permissions are too restrictive for cache).
.github/workflows/dependabot-automerge.yml Moves to top-level read-only permissions and scopes write permissions to the dependabot job; pins actions.
.github/workflows/coverage.yml Adds top-level read-only permissions and pins actions to SHAs.
.github/workflows/codeql-analysis.yml Adds schedule trigger, top-level permissions, job-scoped write for security-events, and pins CodeQL actions.
.github/workflows/claude.yml Adds top-level permissions and retains job-scoped permissions needed for PR/issue interactions; pins action.
.github/workflows/ci.yml Adds top-level read-only permissions, scopes write to the autofix job, and pins actions to SHAs.

Comment thread .github/workflows/nodejs-tests.yml
Comment thread .github/workflows/playwright-tests.yml

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
SECURITY.md (1)

5-8: Consider replacing latest with concrete support targets.

Using explicit branches/semver ranges (for example, main or >=x.y.z) makes the policy easier for reporters to interpret.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@SECURITY.md` around lines 5 - 8, The policy table currently lists "latest" as
the supported Version; replace that ambiguous token with explicit support
targets (e.g., a branch name like "main" or a semver range such as ">=1.2.0") so
reporters know exactly what is supported; update the table row that contains
"latest" under the Version column to a concrete branch or semver expression and
adjust the Supported column if needed to reflect the exact coverage.
.github/workflows/coverage.yml (1)

3-3: Use permissions: {} for deny-by-default workflow token baseline.

permissions: read-all at workflow scope is redundant—every job already defines explicit job-level permissions that override it. Tightening the default to permissions: {} is safer for future jobs and prevents accidental permission leakage if a new job without explicit permissions is added.

Suggested change
-permissions: read-all
+permissions: {}
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/coverage.yml at line 3, The workflow-level permission
setting "permissions: read-all" is too permissive; change the workflow's
top-level permissions to an explicit deny-by-default by replacing "permissions:
read-all" with "permissions: {}" so job-level permissions remain authoritative
and prevent accidental token privilege leakage.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/coverage.yml:
- Line 3: The workflow-level permission setting "permissions: read-all" is too
permissive; change the workflow's top-level permissions to an explicit
deny-by-default by replacing "permissions: read-all" with "permissions: {}" so
job-level permissions remain authoritative and prevent accidental token
privilege leakage.

In `@SECURITY.md`:
- Around line 5-8: The policy table currently lists "latest" as the supported
Version; replace that ambiguous token with explicit support targets (e.g., a
branch name like "main" or a semver range such as ">=1.2.0") so reporters know
exactly what is supported; update the table row that contains "latest" under the
Version column to a concrete branch or semver expression and adjust the
Supported column if needed to reflect the exact coverage.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 42c031e1-cefe-4ee5-806c-3dd5a982a534

📥 Commits

Reviewing files that changed from the base of the PR and between 0fc3e49 and 2e11ea8.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (9)
  • .github/workflows/ci.yml
  • .github/workflows/claude.yml
  • .github/workflows/codeql-analysis.yml
  • .github/workflows/coverage.yml
  • .github/workflows/dependabot-automerge.yml
  • .github/workflows/nodejs-tests.yml
  • .github/workflows/playwright-tests.yml
  • .github/workflows/sonarcloud.yml
  • SECURITY.md

DJ and others added 4 commits March 27, 2026 19:27
- Replace permissions: read-all with permissions: {} (deny-by-default)
- Use concrete version target (main branch) in SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Jobs using actions/cache and actions/upload-artifact need actions: write
permission at the job level to function correctly with deny-by-default
workflow permissions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@don-petry don-petry enabled auto-merge (squash) March 28, 2026 03:25
The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.
@sonarqubecloud

Copy link
Copy Markdown

@don-petry don-petry disabled auto-merge March 28, 2026 13:32
@don-petry don-petry merged commit 5386727 into main Mar 28, 2026
12 of 13 checks passed
@don-petry don-petry deleted the scorecard-fixes branch March 28, 2026 13:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Scorecard: Security-Policy (0/10)

2 participants