Improve SecurityWG Scorecard

[RafaelGSS]

Following https://github.com/nodejs/security-wg/blob/main/tools/ossf_scorecard/report.md + Code Scanning, we have a few security concerns to mitigate in this repository and then improve our score. Let's use this issue to keep track of the progress:

• Token-Permissions
  • .github/workflows/ossf-scorecard-reporting.yml:11

  • score is 0: topLevel 'contents' permission set to 'write'
    Remediation tip: update your workflow using https://app.stepsecurity.io
    Click Remediation section below for further remediation help

  • .github/workflows/validate-vulnerability.yml:1

  • score is 0: no topLevel permission defined
    Remediation tip: update your workflow using https://app.stepsecurity.io
    Click Remediation section below for further remediation hel

• Pinned-Dependencies
  • All .yml files.
• SAST Tool
• Fuzzing
• Code-Review

[UlisesGascon]

I am happy to help with some PRs for the tokens and pinned dependencies. Regarding SAST Tool I can enable CodeQL from the github settings in few minutes.

Regarding fuzzing maybe @fraxken can lead it :)

[shubham-y]

I would like to work on this issue

[RafaelGSS]

@shubham-y feel free to pick one item from the list and make the PR.

[varunsh-coder]

Hi All, I am the founder of StepSecurity. We are developing a few tools like app.stepsecurity.io to simplify developers' work and increase the OpenSSF Scorecard score using automation. Please let me know if I can help in any way.

I am curious if this issue is only for this repo or to increase the score across nodejs repos?

[RafaelGSS]

Currently, only this repo. The plan is to perform this for all the repos in the org.