epic: OpenSSF Scorecard remediation across platform-mesh repos

[mirzakopic]

Description

This epic groups remediation work for findings from the OpenSSF Scorecard runs across the public platform-mesh repos.

A scan on 2026-04-28 covered 23 of the org's public repos (the rest don't have a scorecard workflow yet — see #276). Scores ranged from 6.2 to 8.6. The same systemic findings repeat across most repos, so the work is grouped into one tracker per Scorecard check (with per-repo checkboxes inside) plus a few standalone issues for repo-specific problems.

Per-repo Scorecard URLs follow the pattern:
https://api.securityscorecards.dev/projects/github.com/platform-mesh/<repo>

Org-wide finding summary

Scorecard check	Affected repos	Severity	Tracker
Token-Permissions	~21/23	High	#269
Pinned-Dependencies	~17/23	High	#270
CII-Best-Practices	23/23	Medium	#271
Branch-Protection	6	High	#272
Fuzzing	~14/23	Low–Medium	#273

Repo-specific issues

• Code-Review failing on helm-charts, portal-server-lib, portal-ui-lib, upstream-images — most commits land without an approved PR. Most security-relevant single finding currently open.
• No Dependabot/Renovate on upstream-images.
• Five repos have no Scorecard at all — flying blind.
• virtual-workspaces has Pinned-Dependencies 0/10 (outlier vs peers).

Sub-tasks

• task: Scorecard — harden GitHub Actions token permissions (Token-Permissions) #269 — Harden GitHub Actions token permissions (Token-Permissions)
• task: Scorecard — pin third-party Actions and base images by SHA (Pinned-Dependencies) #270 — Pin third-party Actions and base images by SHA (Pinned-Dependencies)
• task: Scorecard — apply for OpenSSF Best Practices badge (CII-Best-Practices) #271 — Apply for OpenSSF Best Practices badge (CII-Best-Practices)
• task: Scorecard — strengthen branch protection on default + release branches (Branch-Protection) #272 — Strengthen branch protection on default + release branches (Branch-Protection)
• task: Scorecard — evaluate fuzz testing for Go services (Fuzzing) #273 — Evaluate fuzz testing for Go services (Fuzzing)
• task: Scorecard — enforce PR review on default branches (Code-Review failing) #274 — Enforce PR review on default branches (Code-Review failing)
• task: Scorecard — enable Dependabot/Renovate on upstream-images (Dependency-Update-Tool) #275 — Enable Dependabot/Renovate on upstream-images (Dependency-Update-Tool)
• task: Scorecard — add ossf-scorecard.yml workflow to remaining public repos #276 — Add ossf-scorecard.yml workflow to remaining public repos
• task: Scorecard — fix Pinned-Dependencies on virtual-workspaces (0/10 outlier) #277 — Fix Pinned-Dependencies on virtual-workspaces (0/10 outlier)

Suggested order of execution

1. First (high-impact, low-effort, mechanical):
   • task: Scorecard — harden GitHub Actions token permissions (Token-Permissions) #269 Token-Permissions — same fix pattern across ~21 repos
   • task: Scorecard — pin third-party Actions and base images by SHA (Pinned-Dependencies) #270 Pinned-Dependencies — StepSecurity provides per-workflow auto-fix URLs
   • task: Scorecard — enable Dependabot/Renovate on upstream-images (Dependency-Update-Tool) #275 Dependabot on upstream-images — single repo, single config file
2. Next (high-impact, requires settings access):
   • task: Scorecard — enforce PR review on default branches (Code-Review failing) #274 Code-Review enforcement — most security-relevant finding
   • task: Scorecard — strengthen branch protection on default + release branches (Branch-Protection) #272 Branch-Protection — settings change per repo (or org-level ruleset)
3. Then (one-time, org-wide):
   • task: Scorecard — apply for OpenSSF Best Practices badge (CII-Best-Practices) #271 OpenSSF Best Practices badge registration
   • task: Scorecard — add ossf-scorecard.yml workflow to remaining public repos #276 Add Scorecard workflow to 5 repos that don't have it
4. Lower priority (refine first):
   • task: Scorecard — fix Pinned-Dependencies on virtual-workspaces (0/10 outlier) #277 virtual-workspaces pinning (will be picked up by task: Scorecard — pin third-party Actions and base images by SHA (Pinned-Dependencies) #270 anyway)
   • task: Scorecard — evaluate fuzz testing for Go services (Fuzzing) #273 Fuzzing — scope down to highest-value Go services

Objectives

• Every public, actively-maintained repo in platform-mesh scores 8.5+ on OpenSSF Scorecard.
• No repo has any single check at 0/10.
• Branch protection + required PR review enforced on every default branch.
• OpenSSF Best Practices badge displayed at org level.

Demo Required

None

Demo Steps

No response