Implement OpenSSF Scorecard for Continuous Security Monitoring #5498
Description
Labels
enhancement security infrastructure good first issue
Description
Background
The OpenSSF Scorecard is an automated tool that assesses open source projects for security risks through a series of automated checks. It provides actionable recommendations to improve security posture and demonstrates our commitment to security best practices.
Problem Statement
Currently, we lack automated, continuous monitoring of our security practices across the AirQo-api repository. This makes it difficult to:
- Proactively identify security gaps before they become vulnerabilities
- Demonstrate our security commitment to users and potential contributors
- Track security improvements over time
- Align with industry best practices and standards
Proposed Solution
Implement the OpenSSF Scorecard GitHub Action to automatically assess our repository's security posture and provide continuous monitoring.
Goals & Success Metrics
- ✅ Achieve initial OpenSSF Scorecard score of 5.0+
- ✅ Reach target score of 7.0+ within 3 months
- ✅ Display public Scorecard badge on README
- ✅ Automate security checks on every PR and commit
- ✅ Zero high-severity findings from Scorecard checks
Implementation Tasks
Phase 1: Setup & Configuration (Week 1-2)
- Create
.github/workflows/scorecard.ymlworkflow file - Configure Scorecard Action with appropriate permissions
- Enable
publish_results: trueto contribute to OpenSSF public dataset - Set up SARIF upload to GitHub Code Scanning
- Configure weekly automated scans
- Add OpenSSF Scorecard badge to README.md
Phase 2: Baseline Assessment & Quick Wins (Week 2-3)
- Run initial Scorecard assessment
- Document baseline score and findings
- Address "easy fix" items:
- Enable branch protection on
mainandstagingbranches - Require code reviews for all PRs
- Enable Dependabot security updates
- Configure automatic dependency updates
- Set up signed commits (if not already enabled)
- Enable branch protection on
Phase 3: Advanced Security Controls (Week 3-6)
- Implement findings from Scorecard checks:
- Binary Artifacts: Remove or document any binary files
- CI-Tests: Ensure tests run on all PRs
- Code-Review: Enforce 2+ reviewer requirement for critical paths
- Dangerous-Workflow: Audit GitHub Actions for security issues
- Dependency-Update-Tool: Configure Dependabot/Renovate
- Fuzzing: Explore integration with OSS-Fuzz (if applicable)
- Maintained: Ensure regular commit activity
- Pinned-Dependencies: Pin all action versions
- SAST: Ensure CodeQL runs comprehensively
- Security-Policy: Keep SECURITY.md up to date
- Signed-Releases: Implement signed release artifacts
- Token-Permissions: Set minimal GitHub token permissions
- Vulnerabilities: Address any known CVEs
Phase 4: Monitoring & Continuous Improvement (Ongoing)
- Set up Slack/email notifications for Scorecard failures
- Create quarterly review process for security metrics
- Document security improvement process in CONTRIBUTING.md
- Share Scorecard results in team meetings
Acceptance Criteria
Must Have
- ✅ OpenSSF Scorecard GitHub Action successfully running weekly
- ✅ Scorecard results published to OpenSSF public API
- ✅ Scorecard badge visible on repository README
- ✅ Minimum score of 5.0 achieved
- ✅ All HIGH severity findings addressed
- ✅ SARIF results uploaded to GitHub Security tab
Should Have
- ✅ Scorecard score of 7.0+ within 3 months
- ✅ Automated notifications for score regressions
- ✅ Documentation of all Scorecard checks and our status
- ✅ Integration with PR checks (block merge on security regressions)
Nice to Have
- ✅ Custom Scorecard configuration for our specific needs
- ✅ Dashboard showing score trends over time
- ✅ Security metrics included in sprint retrospectives
Resources & References
- OpenSSF Scorecard Homepage
- Scorecard GitHub Action
- Scorecard Checks Documentation
- OpenSSF Best Practices
- Scorecard API Viewer
Timeline & Priority
Priority: High
Target Completion: End of Q1 2025
Estimated Effort: 2-3 weeks of focused work + ongoing maintenance
Related Issues/PRs
- Related to our recent authentication security improvements (Feat: token expiration and sliding sessions for enhanced security #5240, Fix: Prevent frequent logouts with sliding window and grace period for JWTs #5341, addressing a few rbac middleware check issues #5402)
- Supports our security policy: https://github.com/airqo-platform/AirQo-api/security/policy
Questions or Concerns?
Comment below or reach out to @[tech-lead-username] or [email protected]