ContextQMD
Back to Fabric Js

OpenSSF Scorecard Remediation Plan

SCORECARD_REMEDIATION_PLAN.md

7313.0 KB
Original Source

OpenSSF Scorecard Remediation Plan

Last updated: 2026-04-18

Current public Scorecard snapshot for github.com/fabricjs/fabric.js:

  • Aggregate score: 6.1 / 10
  • Report date: 2026-04-18T07:39:30Z
  • Reported commit: f80aa89a0614f1936952d53557ed46abd94f8d6f

Checks below 10:

  • Dangerous-Workflow: 0
  • Token-Permissions: 0
  • Fuzzing: 0
  • CII-Best-Practices: 0
  • Code-Review: 5
  • Pinned-Dependencies: 7
  • Binary-Artifacts: 8
  • CI-Tests: 8
  • SAST: 9
  • Packaging: -1
  • Signed-Releases: -1
  • Branch-Protection: -1

Priority Order

  1. Harden GitHub Actions workflows.
  2. Remove or replace checked-in binaries.
  3. Make release and packaging workflows easier for Scorecard to detect.
  4. Tighten GitHub branch protection and required-check settings.
  5. Add fuzzing and signed release provenance.
  6. Complete OpenSSF Best Practices badge requirements.

Action Plan

1. CI hardening

  • Replace the Sonar workflow's explicit head_sha / head_branch checkouts.
  • Keep fork PR support by using an untrusted test workflow followed by a privileged analysis workflow that does not build or install from the fork in the privileged context.
  • Avoid explicit head_sha / head_branch checkouts in privileged follow-up workflows when a safer ref or merge ref is available.
  • Reduce workflow token permissions to read-only by default and grant writes only where they are required.
  • Add missing top-level permissions declarations so Scorecard can see least-privilege defaults.
  • Pin any remaining third-party actions by full commit SHA.

2. Binary artifacts

  • Remove lib/google_closure_compiler.jar if it is no longer used.
  • Remove lib/yuicompressor-2.4.6.jar if it is no longer used.
  • If either file is still needed, fetch it during CI or replace it with maintained npm tooling.

3. Packaging and release signals

  • Simplify the npm release workflow so Scorecard can detect an official packaging path.
  • Prefer npm ci over npm install in publish workflows.
  • Move opaque publish logic out of publish.js where possible and keep the publish command explicit in workflow YAML.
  • Evaluate npm publish --provenance for stronger release provenance.

4. Repository settings

  • Enable or verify branch protection rules for master, 5.x, and 6.x.
  • Require pull requests, approvals, stale-review dismissal, and up-to-date checks before merge.
  • Make CI and CodeQL required checks for protected branches.
  • Configure a fine-grained SCORECARD_TOKEN so the Scorecard action can read branch protection state.

5. Longer-horizon security work

  • Add focused fuzz targets for SVG parsing, path parsing, JSON deserialization, and text/layout edge cases.
  • Publish signed release artifacts or attestations alongside GitHub Releases.
  • Apply for the OpenSSF Best Practices badge after workflow and policy gaps are closed.

First implementation pass

This branch starts with the CI hardening items:

  • Sonar workflow redesign
  • obvious permission tightening in CI workflows
  • documentation of the remaining Scorecard work