Reboot Security 🔒

[UlisesGascon]

Overview

Related to yeoman/yeoman#1779

The goal of this security plan is to ensure that Yeoman remains a secure, reliable tool for the community. By defining clear policies, roles, and responsibilities—and by proactively monitoring and mitigating vulnerabilities—we can help protect Yeoman users from potential threats.

General Approach

1. Establish a clear reporting process
   • Provide a transparent path for security researchers and community members to report vulnerabilities.
2. Maintain secure development practices
   • Regularly review code, update dependencies, and follow security best practices.
3. Audit and monitor
   • Continuously track known vulnerabilities, apply patches, and communicate risks to stakeholders.

Backlog

• Define a comprehensive SECURITY.md at the organization level
  • Document a responsible disclosure policy (including how to report security issues and expected response times).
  • Include guidance on how vulnerabilities are triaged and fixed.
  • See: docs: add a security policy #2
• Create a .github repository or folder for organization-wide resources
• Implement OSSF Scorecard recommendations
  • Monitor the current score and track improvements over time: (OpenSSF Scorecard Report Updated #3 and reports)
  • Address suggested remediation steps (e.g., signing releases, enabling branch protection rules, automating dependency checks, SAST, CI/CD Pipeline Hardening, etc.).
  • Final report: Reboot Security 🔒 #1 (comment)
• Review CVEs for known vulnerabilities
  • Evaluate Yeoman’s repos and dependencies against reported CVEs.
  • Patch or mitigate as necessary.
  • Analysis: 📌 Project Status: Maintenance Reboot yeoman#1779 (comment)
• Create a threat model
  • Use examples from Express and Node.js as references.
  • Outline potential attack vectors, likely threat agents, and mitigation strategies.
  • See: docs: add a threat model for the project #21
• Review and update GitHub teams/permissions
  • Ensure the principle of least privilege is followed.
  • Restrict sensitive actions (e.g., publishing, merging to main) to trusted maintainers/contributors.
• Review and update teams/permissions on npm
  • Verify correct ownership and publishing rights.
  • Rotate access tokens or credentials (if needed).
• Update vulnerable dependencies
  • Identify and upgrade libraries with known vulnerabilities.
• Plan releases to improve project security posture
  • Create a new release for each library if more than a year has passed since the previous release.

Notes

This is an open discussion, and this backlog may evolve over time as we implement these actions. Feel free to participate and suggest additional improvements. 👍

[UlisesGascon]

With this great improvements, I consider the Scorecard implementation phase completed 🥳

Repository	Commit	Score	Score Delta	Report	StepSecurity
yeoman/generator	aa4661e	6.8	1 / Details	View	Fix it
yeoman/yeoman.io	92f38d7	7	4.3 / Details	View	Fix it
yeoman/yo	c66f7a7	6.6	2.8 / Details	View	Fix it
yeoman/generator-generator	e39e025	5.2	2.3 / Details	View	Fix it
yeoman/generator-dummy	22caabc	5.1	2.4 / Details	View	Fix it
yeoman/generator-node	06b66b1	4.9	2.9 / Details	View	Fix it
yeoman/yosay	f781247	5.9	1.7 / Details	View	Fix it
yeoman/yeoman-test	c3b6899	5.5	2.3 / Details	View	Fix it
yeoman/environment	92fa818	5.6	2.2 / Details	View	Fix it
yeoman/doctor	c576ffa	6.1	2.5 / Details	View	Fix it
yeoman/yeoman-character	c20fb53	5.9	2 / Details	View	Fix it
yeoman/yeoman-welcome	ad4896e	5.9	4 / Details	View	Fix it

[UlisesGascon]

As discussed, I made all the changes in the GH org to mimic the current organization status 👍