From d0c1c81fbc53ce2e63f02094e53cfdfe3cf0bcb8 Mon Sep 17 00:00:00 2001 From: Thomas Leplus Date: Tue, 19 Mar 2024 16:50:15 -0600 Subject: [PATCH] Adding OSSF Scorecards --- .github/workflows/scorecards.yml | 53 ++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/scorecards.yml diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000..1e44aba --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,53 @@ +--- +# Copyright 2016-present Thomas Leplus +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Scorecards supply-chain security +on: + push: + branches: + - main + - 'releases/**' + workflow_dispatch: + +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + steps: + - name: "Checkout code" + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: "Run analysis" + uses: ossf/scorecard-action@main + with: + results_file: results.sarif + results_format: sarif + publish_results: true + - name: "Upload artifact" + uses: actions/upload-artifact@v4 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif