Skip to content

[Proposal] Resolve False Positives in Security & Best Practices #1998

Description

@eddie-knight

During a FINOS TOC health check last week, @rocketstack-matt and I noticed that some of the security & best practices checks in LFX have become inaccurate due to a shift in permissions on certain GitHub API values. The first one we noticed was branch protection which now requires admin perms, and there are a few others that I suspect are also impacted.

Could we set up an option for projects to post their own results when they scan from their own CI? I don't remember getting that across the finish line. If Insights adds that logic, we could update the baseline scanner to use needs review when we suspect an authentication error (this was tough to determine previously, but we can at least approximate it).

The new feature would involve using the GitHub Actions default OIDC logic to allow exclusive input from the source repository to send results from an introspective scan. I anticipate the logic would be straightforward, since it would just be like... if (OIDC source == target) then accept the update.

Happy to help with this if it sounds like a good idea.

cc/ @jmeridth @TheJuanAndOnly99

Metadata

Metadata

Assignees

No one assigned

    Labels

    featureNew feature or requestsecurityRelated to the Security & Best Practices feature.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions