diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 3a2c9c2f0b8c9..38c67b8ddae6b 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,6 +17,7 @@ jobs: with: fail-on-severity: high fail-on-scopes: runtime, unknown, development - comment-summary-in-pr: on-failure + comment-summary-in-pr: always show-openssf-scorecard: true - retry-on-snapshot-warnings: true + warn-on-openssf-scorecard-level: 5 + retry-on-snapshot-warnings: true \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b3712f244a293..502ef5298bca3 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -532,6 +532,9 @@ We use the [Fork and Pull model](https://docs.github.com/en/pull-requests/collab - Implement or modify relevant tests, otherwise provide clear explanation why test updates were not necessary - Tag your PR with affected code areas as best as you can, it’s okay to tag too many, better to cut down irrelevant tags than miss getting input from relevant subject matter experts - All tests shall pass before requesting a code review. If there are test failures, even it's from unrelated problems, try to address them by either sending a PR to fix it or creating a Github issue so it can be triaged and fixed soon. +- If adding new dependencies: + * OpenSSF Scorecard: Ensure they have an [OpenSSF Scorecard](https://securityscorecards.dev/#the-checks) score of 5.0 or higher. Dependencies with scores below 5.0 require explicit approval from the TSC. [The OpenSSF score can be checked here](https://scorecard.dev/viewer/). Automated checks will comment on the PR with scorecard scores for new dependencies. + * Vulnerabilities: Ensure new dependencies do not introduce known high or critical severity vulnerabilities. Automated checks will fail the build if such vulnerabilities are detected. In exceptional cases, this can be overridden by TSC vote, requiring an administrator to merge the PR. ### What not to do for Pull Requests * Submit before getting peer review in your own organization diff --git a/pull_request_template.md b/pull_request_template.md index 3181b374bdeba..e0fc2607a2514 100644 --- a/pull_request_template.md +++ b/pull_request_template.md @@ -19,6 +19,7 @@ - [ ] If release notes are required, they follow the [release notes guidelines](https://github.com/prestodb/presto/wiki/Release-Notes-Guidelines). - [ ] Adequate tests were added if applicable. - [ ] CI passed. +- [ ] If adding new dependencies, verified they have an [OpenSSF Scorecard](https://securityscorecards.dev/#the-checks) score of 5.0 or higher (or obtained explicit TSC approval for lower scores). ## Release Notes Please follow [release notes guidelines](https://github.com/prestodb/presto/wiki/Release-Notes-Guidelines) and fill in the release notes below.