During a FINOS TOC health check last week, @rocketstack-matt and I noticed that some of the security & best practices checks in LFX have become inaccurate due to a shift in permissions on certain GitHub API values. The first one we noticed was branch protection which now requires admin perms, and there are a few others that I suspect are also impacted.
Could we set up an option for projects to post their own results when they scan from their own CI? I don't remember getting that across the finish line. If Insights adds that logic, we could update the baseline scanner to use needs review when we suspect an authentication error (this was tough to determine previously, but we can at least approximate it).
The new feature would involve using the GitHub Actions default OIDC logic to allow exclusive input from the source repository to send results from an introspective scan. I anticipate the logic would be straightforward, since it would just be like... if (OIDC source == target) then accept the update.
Happy to help with this if it sounds like a good idea.
cc/ @jmeridth @TheJuanAndOnly99
During a FINOS TOC health check last week, @rocketstack-matt and I noticed that some of the security & best practices checks in LFX have become inaccurate due to a shift in permissions on certain GitHub API values. The first one we noticed was branch protection which now requires admin perms, and there are a few others that I suspect are also impacted.
Could we set up an option for projects to post their own results when they scan from their own CI? I don't remember getting that across the finish line. If Insights adds that logic, we could update the baseline scanner to use
needs reviewwhen we suspect an authentication error (this was tough to determine previously, but we can at least approximate it).The new feature would involve using the GitHub Actions default OIDC logic to allow exclusive input from the source repository to send results from an introspective scan. I anticipate the logic would be straightforward, since it would just be like... if (OIDC source == target) then accept the update.
Happy to help with this if it sounds like a good idea.
cc/ @jmeridth @TheJuanAndOnly99