Assessment against best practices (OpenSSF Scorecards ...)

[fraxken]

As discussed in the last meeting #857. I'm creating this issue to, discuss and follow the evolution of this new Security-WG initiative for 2023.

The main idea is to assess how the Node.js project is positioned in regards to some security best practices. The final goal would be to collect metrics, allowing us to eventually improve security.

As a first actionable step we discussed exploring the OpenSSF Scorecards initiative. For context an issue about Scorecard has been opened here: #851 (There is some nice information on it). A presentation will be held in the next meeting (January 19th).

[RafaelGSS]

Next steps:

OSSF Scorecards

• Enable scorecard.yml
  • undici workflow: add scorecard.yml undici#1942
  • and nodejs tools: add scorecard ci node#47254
• Filter non-relevant repositories in the scorecard_report
• Improve the score of all reports monitored

CII Best Practices

• Node.js Basic Level: CII-Best-Practices for Nodejs: Entry level #954
• Node.js Silver Level: CII-Best-Practices for Nodejs: Silver level #955
• Node.js Gold Level: CII-Best-Practices for Nodejs: Gold level #956
• Agree to implement in other projects (Undici, Ada..) and provide support.

Other

• Requirement: It MUST be possible to configure the software so that smaller keylengths are completely disabled #988
• Requirement: Secure development knowledge #987
• Requirement: Publicly known medium-high vulnerabilities unpatched for +60 days #986
• Requirement: Static source code analysis daily or per commit #985