Hi,
I am Francisco Perez, a member of the Eclipse Foundation security team. I am writing to you because we have analyzed all the repositories in the GitHub organization eclipse-platform using Scorecard <https://github.com/ossf/scorecard> and we have found out some improvements could be made. We will create an issue where we will summarize all the best Security Best Practices identified and create PRs to help you with applying those Security Best Practices You may see some of those PRs coming from StepSecurity <https://www.stepsecurity.io/> as this is a tool we use to help us implement those fixes at scale.. The PR above will cover some or all of the following best practices: - Apply least privilege principle to GITHUB_TOKEN <https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/> - Add or fine tune the use of Dependabot <https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates> - Pin GitHub actions to a full length commit SHA <https://michaelheap.com/ensure-github-actions-pinned-sha/> Please don’t hesitate and reach out if there is something unclear above. Kind Regards, *Francisco Perez * *Open Source Software Engineer | Eclipse Foundation* Eclipse Foundation <http://www.eclipse.org/>: The Platform for Open Innovation and Collaboration
_______________________________________________ platform-dev mailing list platform-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev
