Skip to content

Security: Integrate Static Code Analysis (SAST) and Pin Dependencies to Improve OpenSSF Scorecard Rating #35339

Description

@musharafali-dev

The project's OpenSSF Scorecard identifies areas for security enhancement, notably a 0/10 score for both the Static Code Analysis (SAST) and Pinned-Dependencies checks . Integrating automated security scanning and hardening build dependencies will significantly improve the project's security posture and align with best practices for critical infrastructure.

Proposed Solution

Integrate a SAST Tool: Add a workflow to run a Static Application Security Testing (SAST) tool (e.g., CodeQL, Semgrep, or gosec) on every pull request and push to the master branch. This provides continuous, automated vulnerability scanning of the Go codebase, helping to catch potential security issues early in the development lifecycle .

Pin GitHub Actions Dependencies: Update all GitHub Actions workflows to use specific commit hashes (or major version tags where pinning is verified) instead of floating versions. This prevents supply chain attacks by ensuring builds use a known, immutable version of third-party actions .

Address Findings: Create a process to review and remediate or document findings from the SAST tool.

Impact

High: Actively improves security by identifying and mitigating potential vulnerabilities.

Medium: Meets security best practices for dependency management and CI/CD pipelines.

Labels
security, enhancement, CI/CD, dependencies

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions