All Day DevOps 2023 - Implementing OSSF Scorecards Across an Organisation.pdf
0 likes67 views
The document outlines the implementation of OpenSSF Scorecards within an organization, highlighting the importance of security and the process of starting with the Allstar tool. It provides guidance on scaling the scorecard application across multiple repositories and emphasizes the 80/20 rule in effort versus results. Additionally, it encourages utilizing the Scorecard CLI and offers resources for further information.
![rollup.sh
#!/bin/bash
if [ $# -ne 2 ] ; then
echo "Usage rollup.sh <BASE_PR> <LAST_PR>"
exit 1
fi
BASE_PR=$1
LAST_PR=$2
git pull
gh pr checkout "$BASE_PR"
for (( i=(($BASE_PR + 1)); i<=$LAST_PR; i++ ))
do
PR_BRANCH=$(gh pr view "$i" --json headRefName -q .headRefName)
git merge origin/"$PR_BRANCH" -m
"build(deps): Rollup merge branch for #${i} ${PR_BRANCH}"
done
git push](https://image.slidesharecdn.com/alldaydevops2023-implementingossfscorecardsacrossanorganisation-231026134944-2cdb7110/85/All-Day-DevOps-2023-Implementing-OSSF-Scorecards-Across-an-Organisation-pdf-29-320.jpg)
All Day DevOps 2023 - Implementing OSSF Scorecards Across an Organisation.pdf
- 1. © 2023 - Atsign | docs.atsign.com Implementing OpenSSF Scorecards Across an Organisation All Day DevOps - Oct 2023
- 2. © 2023 - Atsign | docs.atsign.com
- 3. © 2023 - Atsign | docs.atsign.com
- 4. © 2023 - Atsign | docs.atsign.com Hi, I’m Chris @cpswan https://chris.swanz.net
- 5. © 2023 - Atsign | docs.atsign.com Agenda ➔ Who are OpenSSF, and what is a scorecard? ➔ Start with Allstar ➔ Doing your first repository ➔ Scaling across multiple repositories ➔ 80:20 ➔ The toil of it all
- 6. Who are OpenSSF, and what is a scorecard?
- 7. © 2023 - Atsign | docs.atsign.com https://openssf.org/
- 8. © 2023 - Atsign | docs.atsign.com
- 10. © 2023 - Atsign | docs.atsign.com https://github.com/ossf/allstar
- 11. A whole bunch of config, and a whole bunch of files
- 12. Doing your first repository
- 13. Expect LOTS of issues
- 14. Help is at hand
- 15. Dependency (pinning) hell cont…
- 16. Scaling across multiple repositories
- 17. Rinse and repeat - more of this
- 18. And more of this
- 19. 80:20
- 20. There will be a residue
- 21. This is where it gets really gnarly
- 22. The questionnaire is long and detailed
- 23. And some sections might be hard to accomplish
- 24. The toil of it all
- 25. Make friends with the new boss
- 26. From a docs repo (no actual code to maintain)
- 27. From a code repo
- 29. rollup.sh #!/bin/bash if [ $# -ne 2 ] ; then echo "Usage rollup.sh <BASE_PR> <LAST_PR>" exit 1 fi BASE_PR=$1 LAST_PR=$2 git pull gh pr checkout "$BASE_PR" for (( i=(($BASE_PR + 1)); i<=$LAST_PR; i++ )) do PR_BRANCH=$(gh pr view "$i" --json headRefName -q .headRefName) git merge origin/"$PR_BRANCH" -m "build(deps): Rollup merge branch for #${i} ${PR_BRANCH}" done git push
- 30. Scorecard’s own dependencies can change with annoying regularity (in every repo with a scorecard)
- 31. Base dependencies can be amplified
- 32. © 2023 - Atsign | docs.atsign.com Review ➔ An OpenSSF Scorecard can show you care about security. ➔ Allstar provides a good starting point. ➔ Pick a first repo to get a hang of what’s needed. ➔ Then automate across the rest of the organisation. ➔ 20% of the effort to get 80% of the score. Uphill from there. ➔ Scorecards do create ongoing toil that needs to be minimised.
- 33. © 2023 - Atsign | docs.atsign.com Call to action: Run the scorecard CLI against one of your own repos https://github.com/ossf/scorecard# scorecard-command-line-interface
- 34. Resources Blog posts https://blog.thestateofme.com/2022/12/02/implementing-ossf-scorecard s-across-a-github-organisation/ https://blog.thestateofme.com/2023/03/09/roll-up-rollup-get-your-depe ndabot-prs-together-here/ atGitHub https://github.com/atsign-foundation/.github/blob/trunk/docs/atGitHub.md Varun Sharma’s (Step Security) QCon Demo Org https://github.com/qcon-demo-org
- 35. Thanks for your time chris@atsign.com @cpswan
- 36. Questions?