Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118864
Return-Path: <pnacht@google.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 25779 invoked from network); 20 Oct 2022 21:26:16 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 20 Oct 2022 21:26:16 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 937B71804C4
	for <internals@lists.php.net>; Thu, 20 Oct 2022 14:26:15 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
	ENV_AND_HDR_SPF_MATCH,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,
	USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <pnacht@google.com>
Received: from mail-qk1-f179.google.com (mail-qk1-f179.google.com [209.85.222.179])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 20 Oct 2022 14:26:15 -0700 (PDT)
Received: by mail-qk1-f179.google.com with SMTP id f8so847864qkg.3
        for <internals@lists.php.net>; Thu, 20 Oct 2022 14:26:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=5I6fRdj0Mjsdtix0CcoZ2X6ljuA4nJXFj1b7GL5ws6o=;
        b=gFvPb0cM7P39L/VhvtaXM2Yen4GBjfV3kgaCZRv5JuWR7kdaroIPQAgvxFsY9StDSs
         KSwq2qf7Bu9ISdtbg6WDF5vpSwmkTZTTdUM3ldKp9uMBS+f+6lihm1C4eBWnI0ZCbh+R
         /dSKcJvbJpHc42PGZ2k7h77JdfsLSsWldmHv/5ZcdIcMAGp6bC/XaJEnCIRZOXEIdYeY
         sGI1OscjGIErT6QrherIdbm1hXVWOI5hL7JFjr11YTwDnVkv2zHdR+cKR9tv7mr9nOty
         zOq+YmmiSV05R1w7ULlVofwUXM+ng9N07CbUhf8gC1JBZyuN6ExVHjDaY3cRiYQTKaRr
         MyPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=5I6fRdj0Mjsdtix0CcoZ2X6ljuA4nJXFj1b7GL5ws6o=;
        b=yzraHReGHyMZToBapQbxtMZabhX0Uj7QgZr/zLDXpL5gyvy0jXdRmOl/xvv30b3n7c
         XB7F9NEG7iDSwyJlhuCOuwREzzb22lkua5m+e7x4kTwaSourX0N+Vy4Vp3TpMPsmPekG
         avMUO9euACcoAXAZav4Au7mn3Cx53pu4djGYEc7sOz5bzfNwIBryysiuRWJYA10760ec
         BrgQSZ1tNX+bkASCIpmmL3akpqu7Su+s1IqAM0+J6GAKIx1seEfR5fDgj2VtpnitiXEP
         abgG4q5HH7MslWStanYJSunxszcqBTGqNidbuumVD/ShI30955c+B3Jo7NjcZWEDgsLW
         vZfA==
X-Gm-Message-State: ACrzQf0eWY4dDvqvcb1i5QvebUoB6AAnKaYmdLD81u9vJvLdESXtOZ0b
	7oR7N2VodYVzUJQ5QxuTn+sP/KgyceVkPgn81vaKud9ooXTD6Q==
X-Google-Smtp-Source: AMsMyM7U4plxvS54oA+GOMVfS1dYugyzXnlTnORxKjNPpkYl4UWsdB9tAvm1SEzonoMd586LzbTXKcIu4SWQqd1A2CI=
X-Received: by 2002:a05:620a:11ba:b0:6ec:5639:a384 with SMTP id
 c26-20020a05620a11ba00b006ec5639a384mr11036888qkk.453.1666301174327; Thu, 20
 Oct 2022 14:26:14 -0700 (PDT)
MIME-Version: 1.0
Reply-To: Pedro Nacht <pnacht@google.com>
Date: Thu, 20 Oct 2022 18:25:58 -0300
Message-ID: <CAFWHjfpriiBX1Xg34F95zXsgwKQeh1-AwActDws5wuRL83pHhQ@mail.gmail.com>
To: internals@lists.php.net
Content-Type: multipart/alternative; boundary="000000000000961c7105eb7df900"
Subject: [PHP-DEV] Adding the OpenSSF Scorecards GitHub Action
From: internals@lists.php.net ("Pedro Nacht via internals")

--000000000000961c7105eb7df900
Content-Type: text/plain; charset="UTF-8"

I've made this suggestion as issue #9778 (
https://github.com/php/php-src/issues/9778) and PR # 9789 (
https://github.com/php/php-src/pull/9789), but have been invited by
@damianwadley to bring it to the mailing list.

The Scorecards GitHub Action basically keeps an eye on a repo's security
posture and makes simple, objective suggestions for possible improvements.

For PHP's current Scorecard results, see here:
https://api.securityscorecards.dev/projects/github.com/php/php-src. At the
moment it's a raw json dump, but it contains information on the results of
all the individual checks as well as comments on how to improve the scores.
When the Action is installed, this is cleanly added to the project's GitHub
Security Panel with step-by-step instructions.

@iluuu1994 raised the issue that Scorecards suggests maximal branch
protection and code review (prefer all contributions come via PRs with some
form of code review prior to being added to the repo), which is quite
distinct from the current PHP workflow which allows core maintainers to
simply push directly. The reasons for this are entirely understandable. The
Scorecard simply serves to indicate that other, more secure workflows
exist. Whether their costs (in terms of agility and especially maintainer
time) are worth it is a determination only the core team can make.

I'm happy to answer any questions anyone might have, and am also happy to
help PHP in other ways if I can!

Thanks,
Pedro

P.S. First time contribution to the mailing-list, apologies for any
missteps!

--000000000000961c7105eb7df900--