feat(security): OpenSSF Best Practices + Scorecard scaffolding (RAN-53)#34
Merged
Conversation
…RAN-53)
Mirrors the codeiq RAN-46 OSS-CLI security stack, language-adapted to Go 1.25
+ React 19. Hard gate is the bestpractices.dev passing badge (project 12646);
Scorecard is observational with a stretch target of >= 8.0/10.
- .github/workflows/scorecard.yml — ossf/scorecard-action SHA-pinned, push +
weekly Mon 06:00 UTC + manual; harden-runner egress audit; SARIF to Security
tab + 5d artifact.
- .github/workflows/security.yml — six-job OSS-CLI stack (osv-scanner on
go.mod + ui/package-lock.json, trivy fs HIGH/CRITICAL, semgrep
security-audit + owasp-top-ten + golang, gitleaks full history, jscpd
threshold 3% scoped to internal/ + ui/src/, anchore SBOM SPDX + CycloneDX
90d). All actions SHA-pinned; top-level permissions: read-all.
- .github/dependabot.yml — gomod (root) + npm (ui/) + github-actions, weekly
grouped, security updates always-on.
- SECURITY.md — vulnerability reporting policy (GitHub Advisories preferred,
email fallback, supported versions, scope, hardening references).
- .bestpractices.json — project_id 12646, level passing, accurate evidence
map across the six categories.
- scripts/setup-git-signed.sh — repo-local config helper for signed commits
(ssh / openpgp / x509); honours contributor's existing global git identity.
- README.md — replace placeholder OpenSSF Scan badge with real Security
(OSS-CLI) + Best Practices (12646) badges; fix LICENSE.md link; add
Security section.
- CLAUDE.md — new "Security & Supply Chain" section: tool table, Scorecard
baseline + stretch target, branch protection note, evidence pointers.
Verified: go vet ./... PASS, go build ./... PASS (config-only diff).
Out of scope (board-admin auth required, escalated in PR description):
- bestpractices.dev passing badge promotion (manual OAuth at
bestpractices.dev with OSS-Random identity)
- Branch protection on main requiring signed commits
- Repo-level Dependabot security updates + secret-scanning push-protection
Co-Authored-By: Paperclip <noreply@paperclip.ing>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| # Restrict the default GITHUB_TOKEN to read-only; the steps below request the | ||
| # narrow scopes they actually need. | ||
| permissions: read-all |
| schedule: | ||
| - cron: '21 4 * * 1' # Mondays 04:21 UTC — catch newly-disclosed CVEs | ||
|
|
||
| permissions: read-all |
… (RAN-56) Three required gates were red on PR #34, blocking RAN-53: OSV-Scanner — 28 known vulns across 8 packages (3 High, 5 Med, 1 Low, 19 Unknown), all fixable. Patched in this commit: - github.com/jackc/pgx/v5 5.7.2 → 5.9.2 (GHSA-j88v-2chj-qfwx, CVE-2026-33816 Critical per Trivy: memory-safety) - go.opentelemetry.io/otel/sdk 1.42.0 → 1.43.0 (GHSA-hfvc-g4fc-pqhx, CVE-2026-39883 High: BSD kenv PATH hijack) - go directive 1.25.0 → 1.25.9 (covers all 19 stdlib GO-2025-* / GO-2026-* advisories; CI's setup-go reads go-version-file: go.mod) - otel cohort (otel, otel/metric, otel/sdk/metric, otel/trace) bumped to 1.43.0 alongside otel/sdk to keep the cohort version-aligned. Trivy filesystem (HIGH,CRITICAL, ignore-unfixed: true) — 2 findings, both subsumed by the OSV fixes above. ui/package-lock.json — npm update on the four flagged dev-only transitives (within existing caret ranges in package.json): - vite 6.4.1 → 6.4.2 (GHSA-p9ff-h696-f583 8.2 High, GHSA-4w7w-66w2-5vf9 6.3 Med) - picomatch 4.0.3 → 4.0.4 (GHSA-c2c7-rcm5-vvqj 7.5, GHSA-3v7f-55p6-f55p 5.3) - brace-expansion 1.1.12 → 1.1.14, 5.0.4 → 5.0.5 (GHSA-f886-m6hf-6m8v 6.5) - postcss 8.5.8 → 8.5.10 (GHSA-qx2v-qp2m-jg93 6.1) Verification (local, with the same osv-scanner v2.3.5 + trivy that CI runs): - osv-scanner --lockfile=go.mod --lockfile=ui/package-lock.json: "No issues found" - trivy fs . --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed: go.mod 0, ui/package-lock.json 0; exit 0 - go test -race -timeout 180s ./... and loadsim build: green - go vet ./...: clean Out of scope for this commit: the failing SonarCloud check on PR #34 is an external GitHub App that CLAUDE.md explicitly excludes from the security stack. Removal of the SonarCloud app at the repo level requires board-admin action and is being handed off to CEO in the RAN-56 comment thread. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-Authored-By: Paperclip <noreply@paperclip.ing>
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Lands the OpenSSF Best Practices + Scorecard hardening for otelcontext, mirroring the codeiq RAN-46 recipe (PRs #74/#91/#92), language-adapted to Go 1.25 + React 19. Hard gate is the bestpractices.dev
passingbadge (project 12646); Scorecard is observational with a stretch target of ≥ 8.0/10.Closes RAN-53.
What lands in this PR
.github/workflows/scorecard.yml—ossf/scorecard-actionSHA-pinned, push tomain+ Mondays 06:00 UTC + manual;step-security/harden-runneregress audit; SARIF → Security tab + 5d artifact..github/workflows/security.yml— six-job OSS-CLI stack, all actions SHA-pinned, top-levelpermissions: read-all:osv-scanner—go.mod+ui/package-lock.json(OSV.dev / GHSA, not NVD)trivy— filesystem scan,severity: HIGH,CRITICAL,exit-code: 1,ignore-unfixed: truesemgrep—p/security-audit+p/owasp-top-ten+p/golanggitleaks— full git history (CLI binary, not the paid action)jscpd— threshold 3%,--min-tokens 100, scoped tointernal/+ui/src/, excludes tests/vendor/build/legacyinternal/graph/sbom—anchore/sbom-actionSPDX + CycloneDX, 90-day artifact.github/dependabot.yml— gomod (root) + npm (ui/) + github-actions, weekly Mon 08:00 UTC, grouped by ecosystem.SECURITY.md— vulnerability reporting policy (GitHub Security Advisories preferred, email fallbackak.nitrr13@gmail.comwith[otelcontext security]subject tag, supported versions, in/out scope, hardening references)..bestpractices.json—project_id: 12646,level: passing, accurate evidence map across all six categories. No stale Sonar/Dep-Check entries (codeiq's first cut had those — fixed here).scripts/setup-git-signed.sh— repo-local config helper for signed commits; supports ssh / openpgp / x509; honours the contributor's existing global git identity.README.md— replace placeholder "OpenSSF Scan" badge (was pointing atci.yml) with realSecurity (OSS-CLI)+OpenSSF Best Practices(project 12646) badges; fixLICENSE→LICENSE.mdlink; add Security section.CLAUDE.md— new## Security & Supply Chainsection: tool table with merge-gate semantics, Scorecard baseline + stretch target, branch-protection note, evidence pointers.Verification
go vet ./...— PASSgo build .— PASS (binary 45 MB, unchanged).bestpractices.jsonparses;bash -n scripts/setup-git-signed.shclean.Out of scope — board-admin auth required
These acceptance items need GitHub repo admin OAuth or bestpractices.dev OAuth and cannot be done from a PR. They are flagged here for board action; this PR satisfies AC items 3–9 by-file:
passingbadge promotion — registration isin_progressfor project 12646. The self-assessment in.bestpractices.jsonispassingacross all six categories; the badge level transition requires a board admin to log into bestpractices.dev with the OSS-Random identity and answer the questionnaire confirming evidence pointers.mainrequiring signed commits — needsgh api -X PUT repos/RandomCodeSpace/otelcontext/branches/main/protection ...from a repo admin.Notes
LICENSE.mdcopyright is2026 OSS Random(notAmit Kumaras the issue pre-amble references). I deliberately did not rewrite it under this PR — flagging for confirmation. If the maintainer prefersAmit Kumar (RandomCodeSpace), that is a one-line follow-up, not a security gate.ci.ymlis left untouched; new workflows complement, do not replace, it.origin/main(4e0a4a2). Plan document captured at RAN-53 plan.Test plan
Scorecard supply-chain securityandSecurity (OSS-CLI)onmain— expect Scorecard to publish a baseline score (target ≥ 8.0/10).scripts/setup-git-signed.shlocally — verifies signing chain end-to-end (non-destructive, no refs touched).