As it was announced in August, LGTM.com was shut down and as per the recommendation in the announcement we could try to set it up again with GitHub Actions... https://github.blog/2022-08-15-the-next ... -scanning/
Actions for running CodeQL analysis
https://github.com/github/codeql-action
https://github.blog/2023-01-09-default- ... -scanning/
https://github.blog/2023-04-17-multi-re ... ositories/
Shut down of LGTM.com
Forum rules
Be nice to others! Respect the FreeCAD code of conduct!
Be nice to others! Respect the FreeCAD code of conduct!
Shut down of LGTM.com
Last edited by saso on Wed Apr 17, 2024 11:30 am, edited 5 times in total.
Re: Shut down of LGTM.com
Few other security related GitHub Actions that could possibly be interesting to check and maybe added to FC GitHub Actions...
OpenSSF Scorecard - Security health metrics for Open Source
https://securityscorecards.dev/
https://github.com/ossf/scorecard
https://opensource.googleblog.com/2023/ ... later.html
https://openssf.org/blog/2024/04/17/bey ... forcement/
OSV-Scanner (Already integrated in OpenSSF Scorecard)
https://github.com/google/osv-scanner
https://google.github.io/osv-scanner/
https://security.googleblog.com/2022/12 ... ility.html
https://security.googleblog.com/2023/03 ... cycle.html
https://opensource.googleblog.com/2024/ ... ities.html
https://osv.dev/
https://github.com/google/osv.dev
https://github.com/ossf/osv-schema
Supply-chain Levels for Software Artifacts, or SLSA ("salsa")
https://slsa.dev/
https://slsa.dev/blog/2022/08/slsa-gith ... generic-ga
https://openssf.org/press-release/2023/ ... 0-release/
https://security.googleblog.com/2023/04 ... tware.html
https://github.com/slsa-framework/slsa
https://github.com/slsa-framework/slsa-verifier
https://github.com/slsa-framework/slsa-github-generator
Protobom is a protocol buffers representation of SBOM data
https://openssf.org/press-release/2024/ ... e-project/
https://github.com/bom-squad/protobom
https://openssf.org/projects/protobom/
Socket proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection
https://socket.dev/
ClusterFuzzLite
https://google.github.io/clusterfuzzlite/
https://google.github.io/clusterfuzzlit ... b-actions/
https://github.com/google/clusterfuzzlite
Also the use of https://app.stepsecurity.io as often recommended by the above OpenSSF Scorecard for the different "Token-Permissions" and "Pinned-Dependencies" issues...
And the Google Engineering Practices Documentation https://google.github.io/eng-practices/ and OpenSSF Guides https://openssf.org/resources/guides/
OpenSSF Scorecard - Security health metrics for Open Source
https://securityscorecards.dev/
https://github.com/ossf/scorecard
https://opensource.googleblog.com/2023/ ... later.html
https://openssf.org/blog/2024/04/17/bey ... forcement/
OSV-Scanner (Already integrated in OpenSSF Scorecard)
https://github.com/google/osv-scanner
https://google.github.io/osv-scanner/
https://security.googleblog.com/2022/12 ... ility.html
https://security.googleblog.com/2023/03 ... cycle.html
https://opensource.googleblog.com/2024/ ... ities.html
https://osv.dev/
https://github.com/google/osv.dev
https://github.com/ossf/osv-schema
Supply-chain Levels for Software Artifacts, or SLSA ("salsa")
https://slsa.dev/
https://slsa.dev/blog/2022/08/slsa-gith ... generic-ga
https://openssf.org/press-release/2023/ ... 0-release/
https://security.googleblog.com/2023/04 ... tware.html
https://github.com/slsa-framework/slsa
https://github.com/slsa-framework/slsa-verifier
https://github.com/slsa-framework/slsa-github-generator
Protobom is a protocol buffers representation of SBOM data
https://openssf.org/press-release/2024/ ... e-project/
https://github.com/bom-squad/protobom
https://openssf.org/projects/protobom/
Socket proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection
https://socket.dev/
ClusterFuzzLite
https://google.github.io/clusterfuzzlite/
https://google.github.io/clusterfuzzlit ... b-actions/
https://github.com/google/clusterfuzzlite
Also the use of https://app.stepsecurity.io as often recommended by the above OpenSSF Scorecard for the different "Token-Permissions" and "Pinned-Dependencies" issues...
And the Google Engineering Practices Documentation https://google.github.io/eng-practices/ and OpenSSF Guides https://openssf.org/resources/guides/