@ishaan-berri asked for help in OpenSSF Slack and I wanted to create an issue where we can discuss how we can help. I'm Mike Lieberman, a member of the Governing Board, Technical Advisory Council member, and contribute/maintain some projects underneath the OpenSSF.
In the short term, I really recommend looking at OpenSSF Baseline - https://baseline.openssf.org/ (@funnelfiasco). Getting documented processes in place ASAP will definitely help here.
I also think the results from stuff like Scorecard (@justaugustus) - https://scorecard.dev/ would help as well. It can help highlight some missing best practices.
Beyond that, if you have some sort of call to start drive some of these I'm sure various folks from OpenSSF would be happy to join and help. Similarly, we'd love to see folks from your end join some OpenSSF meetings to collect feedback and collaborate that way as well.
To copy John Kjell's (@jkjell) great ideas from the OpenSSF Slack:
First of all, I hope you and the team are doing ok. I can imagine it’s been a tough few days.
I’m John and I’m a co-chair to the CNCF’s TAG (technical advisory group) Security and Compliance group. We primarily focus on helping out projects in the CNCF but, I’d like to help you all out too.
I’ll share a bunch of information here for everyone. It’s probably going to be too much and overwhelming but, I’ll reach out directly to help work through the details if you’d like.
Moving to GitHub actions and using PyPi-publish to adopt trusted publishing is the best place to start!
I saw your PR to address results from using Zizmor. This is a great way to continue!
For general best practice around setting up security for your project, we have a set of recommendations available: https://contribute.cncf.io/projects/best-practices/security/
The Linux Foundation has a terrific and free course on how to perform a security self-assessment for your project: https://training.linuxfoundation.org/express-learning/security-self-assessments-for-open-source-projects-lfel1005/ (a huge thanks to @Justin Cappos for all his work on this)
There’s a list too long to share here of OpenSSF projects that can help: https://openssf.org/projects/. These projects can help document and verify implementing best practices the right way and help with ensuring they’re maintained over time.
These are some of the general recommendations I would make to any open source projects. So, hopefully if others are reading this, they’ll have some good references too.
CC: @SecurityCRob
@ishaan-berri asked for help in OpenSSF Slack and I wanted to create an issue where we can discuss how we can help. I'm Mike Lieberman, a member of the Governing Board, Technical Advisory Council member, and contribute/maintain some projects underneath the OpenSSF.
In the short term, I really recommend looking at OpenSSF Baseline - https://baseline.openssf.org/ (@funnelfiasco). Getting documented processes in place ASAP will definitely help here.
I also think the results from stuff like Scorecard (@justaugustus) - https://scorecard.dev/ would help as well. It can help highlight some missing best practices.
Beyond that, if you have some sort of call to start drive some of these I'm sure various folks from OpenSSF would be happy to join and help. Similarly, we'd love to see folks from your end join some OpenSSF meetings to collect feedback and collaborate that way as well.
To copy John Kjell's (@jkjell) great ideas from the OpenSSF Slack:
CC: @SecurityCRob