feat: add SLSA 3 provenance, OpenSSF Scorecard, and security hardening#96
Open
stephrobert wants to merge 1 commit intogetplumber:mainfrom
Open
feat: add SLSA 3 provenance, OpenSSF Scorecard, and security hardening#96stephrobert wants to merge 1 commit intogetplumber:mainfrom
stephrobert wants to merge 1 commit intogetplumber:mainfrom
Conversation
- Add SLSA Level 3 provenance generation in release workflow (hash + provenance jobs) - Add OpenSSF Scorecard workflow (weekly + on push to main) - Add SECURITY.md with vulnerability reporting policy - Add fuzz tests for expression parser and git remote URL parser - Remove compiled binary from source tree, add to .gitignore - Pin all GitHub Actions by SHA commit hash - Add persist-credentials: false to all checkout steps - Move permissions to job-level (least privilege) in release workflow - Add OpenSSF Scorecard and SLSA Level 3 badges to README Scorecard improvements: Security-Policy: 0 → 10 (SECURITY.md) Binary-Artifacts: 9 → 10 (remove main binary) Signed-Releases: 0 → 10 (SLSA provenance, after first release) Token-Permissions: 0 → 10 (job-level permissions) Fuzzing: 0 → 10 (native Go fuzz tests) Dangerous-Workflow: 10 (maintained) Pinned-Dependencies: 8 → 10 (all actions pinned by SHA) Validated with zizmor v1.22.0: 0 findings (1 ignored: SLSA unpinned-uses).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add SLSA Level 3 provenance, OpenSSF Scorecard, and comprehensive security hardening to maximize the project's OpenSSF Scorecard score.
Context
Following the hackerbot-claw supply chain attack that compromised aquasecurity/trivy and 6 other major repositories, this PR hardens Plumber's CI/CD supply chain against the anti-patterns exploited in that campaign.
Changes
SLSA Level 3 Provenance (
release.yml)hashjob: computes SHA256 hashes of all release binariesprovenancejob: generates SLSA Level 3 provenance attestations usingslsa-framework/slsa-github-generator@v2.1.0OpenSSF Scorecard (
scorecard.yml)ossf/scorecard-action@v2.4.3weekly + on push to mainSecurity Policy (
SECURITY.md)Fuzz Testing
configuration/expression_fuzz_test.go: Fuzzes the boolean expression parser (ParseRequiredExpression)utils/gitremote_fuzz_test.go: Fuzzes the git remote URL parser (ParseGitRemoteURL)Workflow Hardening (all 4 workflows)
persist-credentials: falseto all checkout stepspermissionsto job-level with least privilege inrelease.ymlpermissions: {}(deny-all) onrelease.ymlCleanup
mainbinary from source tree (was committed accidentally)mainto.gitignoreREADME
Expected Scorecard Impact
SECURITY.mdmainbinarypull_request_targetChecks requiring manual action (not in this PR)
main(needs admin)Validation
zizmor v1.22.0: 0 findings (1 ignored: SLSAunpinned-uses— by design, SLSA generator requires tag reference)