Adopting the OpenSSF best practices for security - Midpoint log
I am currently trying to get InvenTree compliant with the OpenSSF best practices. This is a log of my progress and thoughts.
Docs und UX
The docs are great, the website looks nice. I wished for some more technical details in the docs, but I guess that would be a double edged sword.
Something I need a bunch of time to get right is pinned dependencies. For python packages it is not enough to pin the to a version, you seem to be required to use a requirements file.
Pinning multistage docker builds is still a mystery to me.
Scope
I think the scope of the rating is good. A lot of things can be fulfilled with a few clicks (dependabot, workflow permissions), a few things are more involved and need some time (pinned dependencies, security policies, reviewer policies, SAST).
Dependabot
I had a not so good experience with the recommended dependabot setup. It created a lot of PRs, but the PRs were not very helpful as they often required a manual fix. After we introduced grouping the noise got significantly reduced. It steel seems to ignore my specific requests to ignore certain packages.
Conclusion
I am happy with the progress we made so far. I think the OpenSSF best practices are a good guideline to improve the security of a project. A simple number is always a good motivator for me to get things done and easier to understand for businesses evaluating the project. I am looking forward to the next steps and hope to get a good rating (8.5 ish) soon.
Note
This content was originally posted on my polar.sh site when they had a focus on helping OSS devs ith features like newsletter, issue funding and donations.