Security Best Practices

Hi,

As a member of the Security Team from the Eclipse Foundation, we used a tools [Scorecard](https://github.com/ossf/scorecard) and [StepSecurity](https://www.stepsecurity.io/) to analyze this repo  in order to push a pull request that cover some or all the following best practices below:
* Apply least privilege principle to [GITHUB_TOKEN](https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/)
* Add or fine tune the use of [Dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)
* Pin actions to a [full length commit SHA](https://michaelheap.com/ensure-github-actions-pinned-sha/)

As a result, You will see a PR coming from [StepSecurity](https://www.stepsecurity.io/) to help to implement those fixes above which will cover a list of points below identified detected:
* Add or fine tune the use of [Dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)
* Pin Actions to a full length commit SHA for files [.github/workflows/cpp.yml](https://github.com/eclipse-openj9/openj9-utils/blob/master/.github/workflows/cpp.yml)


Please don’t hesitate and reach out if there is something unclear above.




Kind Regards,
Francisco Perez

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security Best Practices #92

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security Best Practices #92

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions