Improve security measures (with the help of OpenSSF Scorecard)

[gustavkj]

Lately, I've been looking a bit at OpenSSF Scorecard, it is an security assessment for open source projects.

You can see the current score here: https://securityscorecards.dev/viewer/?uri=github.com/gagoar/codeowners-generator

I think there are some fairly easy improvements that can be done, and there are tools to help. Below are the main improvements, that we can split off into separate issues (if this sounds good):

• Adjust Github Workflow token permissions (principle of least privilege)
  • OpenSSF docs
• Add a security policy (SECURITY.md) and turn on private vulnerability reporting
  • Github docs: private vulnerability reporting
  • OpenSSF docs
• Pin Workflow versions and make Renovate update them
  • This helps guard against supply chain attacks
  • OpenSSF docs
  • Renovate docs
• Add tool for static code analysis, CodeQL
  • OpenSSF docs
• Optional: Add OpenSSF Scorecard workflow, so the score is updated more often
• Optional: Add OpenSSF Scorecard badge to the readme

[gustavkj]

Any thoughts, @gagoar ?

[gagoar]

I've done this at work. Most of it is okay. Some notes tho:

• Oss has a limited machine time per PR. CodeQL is a bit heavy. There are no objections here. Keep in mind Renovate craziness might get us some queues going that slow us down.
• Pinning versions is something I usually do. It could be a quick review to see what's not pinned.
• The least Permissions on workflows is a tricky one. The ones we use to publish are the ones I find the most tricky to test. Everything else can scope to read-only, right?

I will be sure to take the workflow versions to be pinned as soon as you are done with the latest updates.

[gustavkj]

Sound good! 👍

I will take the workflows versions to be pinned as soon as you are done with the latest updates.

I think adding this Renovate preset will take care of that, probably in one PR.

You can also use this tool that OpenSSF links to: https://app.stepsecurity.io/securerepo

[gagoar]

Sound good! 👍

I will take the workflows versions to be pinned as soon as you are done with the latest updates.

I think adding this Renovate preset will take care of that, probably in one PR.

You can also use this tool that OpenSSF links to: https://app.stepsecurity.io/securerepo

done ! #385