Skip to content

Commit f6e6701

Browse files
authored
ops: add OpenSSF Scorecard workflow (#48)
Free supply-chain security analysis from openssf/scorecard. Scores ~17 practices (branch protection, signed commits, dependency review, pinned deps, token permissions, SAST, etc.) on a 0-10 scale and publishes the result to api.scorecard.dev so the public badge auto-updates. Runs on push to main, on branch_protection_rule changes, and weekly. Action SHAs are pinned per Scorecard's pinned-dependencies criterion.
1 parent 4b97fd7 commit f6e6701

1 file changed

Lines changed: 59 additions & 0 deletions

File tree

.github/workflows/scorecard.yml

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
# OpenSSF Scorecard — supply-chain security analysis.
2+
#
3+
# Runs on push to main, on branch-protection-rule changes, and weekly so the
4+
# score stays current as the repo evolves. Results are uploaded to GitHub's
5+
# code-scanning surface (visible in Security tab) and published to the public
6+
# OpenSSF metric API at api.scorecard.dev so the badge auto-updates.
7+
#
8+
# What it scores: branch protection, signed commits, dependency review,
9+
# pinned dependencies, token permissions, vulnerability disclosure, fuzzing,
10+
# SAST, and ~14 other supply-chain practices. Scores 0-10.
11+
#
12+
# Setup notes:
13+
# - publish_results: true requires the repo to be public (it is).
14+
# - id-token: write is required to mint the OIDC token used for publishing.
15+
# - Workflow MUST live on the default branch for results to publish.
16+
name: Scorecard supply-chain security
17+
18+
on:
19+
branch_protection_rule:
20+
schedule:
21+
- cron: '0 6 * * 1' # Monday 06:00 UTC — weekly refresh
22+
push:
23+
branches: [main]
24+
25+
permissions: read-all
26+
27+
jobs:
28+
analysis:
29+
name: Scorecard analysis
30+
runs-on: ubuntu-latest
31+
permissions:
32+
security-events: write # Upload SARIF to code-scanning
33+
id-token: write # Mint OIDC token for publish to api.scorecard.dev
34+
contents: read
35+
actions: read
36+
steps:
37+
- name: Checkout code
38+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
39+
with:
40+
persist-credentials: false
41+
42+
- name: Run analysis
43+
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
44+
with:
45+
results_file: results.sarif
46+
results_format: sarif
47+
publish_results: true
48+
49+
- name: Upload artifact
50+
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
51+
with:
52+
name: SARIF file
53+
path: results.sarif
54+
retention-days: 5
55+
56+
- name: Upload to code-scanning
57+
uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
58+
with:
59+
sarif_file: results.sarif

0 commit comments

Comments
 (0)