Implement OSSF Scorecard

[bernacodesido]

Implements scorecard and other required tools such as dependency-review, dependabot and codeQL. And fixes findings from scorecard as well as:

• https://github.com/rsksmart/RSKIPs/security/code-scanning/1
• https://github.com/rsksmart/RSKIPs/security/code-scanning/2
• https://github.com/rsksmart/RSKIPs/security/code-scanning/3

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
actions/actions/checkout	11bd71901bbe5b1630ceea73d27597364c9af683	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 9 security policy file detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Packaging 🟢 10 packaging workflow detected SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 8 2 existing vulnerabilities detected
actions/github/codeql-action/analyze	662472033e021d55d94146f66f6058822b0b39fd	Unknown	Unknown
actions/github/codeql-action/autobuild	662472033e021d55d94146f66f6058822b0b39fd	Unknown	Unknown
actions/github/codeql-action/init	662472033e021d55d94146f66f6058822b0b39fd	Unknown	Unknown
actions/actions/checkout	eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 9 security policy file detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Packaging 🟢 10 packaging workflow detected SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 8 2 existing vulnerabilities detected
actions/actions/dependency-review-action	5a2ce3f5b92ee19cbb1541a4984c76d921601d7c	🟢 7.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 25 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 9 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/checkout	11bd71901bbe5b1630ceea73d27597364c9af683	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 9 security policy file detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Packaging 🟢 10 packaging workflow detected SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 8 2 existing vulnerabilities detected
actions/aws-actions/configure-aws-credentials	e3dd6a429d7300a6a4c196c26e071d42e0343502	🟢 5.6	Details Check Score Reason Code-Review 🟢 3 Found 3/9 approved changesets -- score normalized to 3 Maintained 🟢 10 14 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 8 2 existing vulnerabilities detected
actions/ruby/setup-ruby	28c4deda893d5a96a6b2d958c5b47fc18d65c9d3	🟢 5.4	Details Check Score Reason Code-Review 🟢 6 Found 17/26 approved changesets -- score normalized to 6 Maintained 🟢 10 19 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Security-Policy ⚠️ 0 security policy file not detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/actions/checkout	11bd71901bbe5b1630ceea73d27597364c9af683	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 9 security policy file detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Packaging 🟢 10 packaging workflow detected SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 8 2 existing vulnerabilities detected
actions/actions/upload-artifact	b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882	🟢 6.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Security-Policy 🟢 9 security policy file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 9 1 existing vulnerabilities detected
actions/github/codeql-action/upload-sarif	c36620d31ac7c881962c3d9dd939c40ec9434f2b	Unknown	Unknown
actions/ossf/scorecard-action	62b2cac7ed8198b15735ed49ab1e5cf35480ba46	🟢 8.2	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 10 20 different organizations found -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 27 commit(s) out of 30 and 0 issue activity out of 30 found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 no published package detected Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities 🟢 10 no vulnerabilities detected

Scanned Manifest Files

.github/workflows/codeql.yml

• actions/checkout@11bd719
• github/codeql-action@6624720
• github/codeql-action@6624720
• github/codeql-action@6624720

.github/workflows/dependency-review.yml

• actions/checkout@eef6144
• actions/dependency-review-action@5a2ce3f

.github/workflows/deploy.yml

• actions/checkout@11bd719
• aws-actions/configure-aws-credentials@e3dd6a4
• ruby/setup-ruby@28c4ded
• actions/checkout@2.*.*
• aws-actions/configure-aws-credentials@1.*.*
• ruby/setup-ruby@1.*.*

.github/workflows/scorecard.yml

• actions/checkout@11bd719
• actions/upload-artifact@b4b15b8
• github/codeql-action@c36620d
• ossf/scorecard-action@62b2cac

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.