Shut down of LGTM.com

General Development
1

As it was announced in August, LGTM.com was shut down and as per the recommendation in the announcement we could try to set it up again with GitHub Actions… https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/

Actions for running CodeQL analysis
https://github.com/github/codeql-action
https://github.blog/2023-01-09-default-setup-a-new-way-to-enable-github-code-scanning/
https://github.blog/2023-04-17-multi-repository-enablement-effortlessly-scale-code-scanning-across-your-repositories/

_PS: I have noticed j8sr0230 is using it for his Nodes WB https://github.com/j8sr0230/Nodes/actions/workflows/codeql.yml_

:question:

2

Few other security related GitHub Actions that could possibly be interesting to check and maybe added to FC GitHub Actions…

OpenSSF Scorecard - Security health metrics for Open Source
https://securityscorecards.dev/
https://github.com/ossf/scorecard
https://opensource.googleblog.com/2023/04/googles-open-source-security-upstream-team-one-year-later.html
OpenSSF Scorecard should be possible to add quite easy and fast since it only makes some general checks on how the repository is setup, all the other tools listed here are actually things that are checked and recommended by OpenSSF Scorecard…

OSV-Scanner
https://github.com/google/osv-scanner
https://google.github.io/osv-scanner/
https://security.googleblog.com/2022/12/announcing-osv-scanner-vulnerability.html
https://security.googleblog.com/2023/03/osv-and-vulnerability-life-cycle.html
https://osv.dev/
https://github.com/google/osv.dev
https://github.com/ossf/osv-schema
Already integrated in OpenSSF Scorecard

Supply-chain Levels for Software Artifacts, or SLSA (“salsa”)
https://slsa.dev/
https://slsa.dev/blog/2022/08/slsa-github-workflows-generic-ga
https://openssf.org/press-release/2023/04/19/openssf-announces-slsa-version-1-0-release/
https://security.googleblog.com/2023/04/celebrating-slsa-v10-securing-software.html
https://github.com/slsa-framework/slsa
https://github.com/slsa-framework/slsa-verifier
https://github.com/slsa-framework/slsa-github-generator

ClusterFuzzLite
https://google.github.io/clusterfuzzlite/
https://google.github.io/clusterfuzzlite/running-clusterfuzzlite/github-actions/
https://github.com/google/clusterfuzzlite

Also the use of https://app.stepsecurity.io as often recommended by the above OpenSSF Scorecard for the different “Token-Permissions” and “Pinned-Dependencies” issues…

And the Google Engineering Practices Documentation https://google.github.io/eng-practices/