Potential Security Enhancements for lua-resty-balancer #56
Description
Hi lua-resty-balancer Maintainers,
I'm reaching out because I appreciate your work on lua-resty-balancer. As open-source security is a growing concern, I'd like to suggest some improvements based on the OpenSSF Scorecard best practices:
Token Permissions: Consider implementing explicit token permissions within the workflow to avoid over-permissioning vulnerabilities.
Pinned Dependencies: Using a commit hash instead of @v4 for the third-party library can mitigate breaking changes or vulnerabilities in future updates.
Branch Protection & Code Review: Enabling branch protection rules and code reviews can minimize the risk of introducing vulnerabilities. Refer to your repository settings for configuration options.
Static Application Security Testing (SAST): Implementing SAST tools can help detect vulnerabilities early in the development lifecycle.
Security Policy: Defining a comprehensive security policy (SECURITY.md) with vulnerability reporting guidelines, coding standards, and response procedures is recommended.
License: On its own, this check will detect files in the top-level directory with any combination of the following names and extensions:LICENSE, LICENCE, COPYING, COPYRIGHT and having common extensions such as .html, .txt, or .md. It will also detect these files in a directory named LICENSES. (Files in a LICENSES directory are typically named as their SPDX license identifier followed by an appropriate file extension, as described in the REUSE Specification.)
For more information on specific checks, see the OpenSSF Scorecard documentation: Link to Documentation