Bring CLOMonitor score to 100%

[eddie-knight]

Per discussion in slack, this issue is to track the efforts necessary to bring argo-cd CLOMonitor score to 100%

Updating to use the new auto-generated CLOMonitor checklist:

CLOMonitor report

Summary

Repository: argo-cd
URL: https://github.com/argoproj/argo-cd
Checks sets: CODE
Score: 88

Checks passed per category

Category	Score
Documentation	100%
License	75%
Best Practices	100%
Security	80%
Legal	n/a

Checks

Documentation [100%]

• Changelog (docs)
• Contributing (docs)
• Maintainers (docs)
• Readme (docs)

License [75%]

• Apache-2.0 (docs)
• Approved license (docs)
• License scanning (docs)

Best Practices [100%]

• Artifact Hub badge (docs)
• Contributor License Agreement (docs) EXEMPT
• Developer Certificate of Origin (docs)
• OpenSSF badge (docs)
• Recent release (docs)

Security [80%]

• Binary artifacts (docs)
• Code review (docs)
• Dangerous workflow (docs)
• Dependency update tool (docs)
• Maintained (docs)
• Software bill of materials (SBOM) (docs)
• Security policy (docs)
• Signed releases (docs)
• Token permissions (docs)

For more information about the checks sets available and how each of the checks work, please see the CLOMonitor's documentation.

[eddie-knight]

Optional: we could add a CLOMonitor badge or report summary to the README

badge:

report summary:

[crenshaw-dev]

I've merged the token permissions PR, so hopefully that'll get marked as done soon.

We do have SBOMs, and the CLOMonitor page reflects that, so I think we can mark that done.

[eddie-knight]

Perfect, checked SBOM as done ✅

Regarding the token permissions, I think we're going to have a headache with that... OpenSSF frowns heavily on using github actions that require write permissions. 😓

[crenshaw-dev]

I find that really odd. I'm just trying to think of how folks are expected to automate without having GitHub actions with write permissions. Is there some better way of automating that I'm unaware of? 0_o

[eddie-knight]

AFAIK the current process is to only approve actions in the github/ library.

Discussion on the linked issue seems to be in the direction of allowing any github actions so long as the permissions are assigned on a granular basis (implying user awareness).

[crenshaw-dev]

Gotcha. Maybe there are opportunities to use the github/ library which we are currently missing.

[crenshaw-dev]

We push seven binaries and two source code archives. I wonder if all nice of those artifacts need to be signed. 0_o

I also question the utility of signing those, when the most important artifact is the container image.

[eddie-knight]

From what I can tell, its just looking for one signature per release

https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases

[crenshaw-dev]

Looks like flux signs a checksum file which contains checksums for all the artifacts. I like that, nice and compact. https://github.com/fluxcd/flux2/releases

[34fathombelow]

Looks like flux signs a checksum file which contains checksums for all the artifacts. I like that, nice and compact. https://github.com/fluxcd/flux2/releases

@crenshaw-dev would you also like me to make all the checksums into one file and have that signed as well? Not sure if folks have built any automation around the way we currently release the checksums. Personally I do like the more compact format.

[crenshaw-dev]

@34fathombelow I think that would be great!

[34fathombelow]

Perfect, checked SBOM as done white_check_mark

Regarding the token permissions, I think we're going to have a headache with that... OpenSSF frowns heavily on using github actions that require write permissions. sweat

@eddie-knight According to the OpenSFF documentation on token permissions for contents:write it states "However, points are not reduced if the job utilizes a recognized packaging action or command. Can you clarify what a recognized package action or command is?

We also have all top level permissions set to read-only. I feel that we have meet all the required criteria for token permissions.

[eddie-knight]

Can you clarify what a recognized package action or command is?

We also have all top level permissions set to read-only. I feel that we have meet all the required criteria for token

There is an issue open to improve the check, but the expected behavior currently is to just use permissions:write on a job if it uses an action published by github.

The release workflow in this repo has permissions:write on a job that uses a third party action, causing the check to fail 😓

[eddie-knight]

Mentioned this on slack, but dropping it here also for reference. The OpenSSF Scorecard issue is being actioned to resolve the Token-Permissions issue with limited disruption to existing workflows.

[eddie-knight]

The only thing pending on this checklist is the License Scanner. Not a security issue, but it'll be good to have regardless. FOSSA will likely be the best tool to implement for this.

[crenshaw-dev]

@eddie-knight I just requested Argoproj access from FOSSA.

[agilgur5]

• License scanning (docs)

The only thing pending on this checklist is the License Scanner. Not a security issue, but it'll be good to have regardless. FOSSA will likely be the best tool to implement for this.

For posterity, a FOSSA badge was added in #11956

[agilgur5]

Gonna close out this issue as all the checks from last year were completed.

All non-security checks are still 100%.
But there are some new CLOMonitor checks from last month for security (re: SECURITY-INSIGHTS.yml). EDIT: SECURITY-INSIGHTS.yml was added in #16135! 🎉 🚀
There's also some work for some OpenSSF checks (new dep vulns, some dep pinning remaining, and fuzzing) that are not currently part of CLOMonitor.

I would propose improvements to those be opened in new issues for better history etc (e.g. totally new thread)