From 794e910e12b7f31ea222a4be4c11f8c7dd2bcf86 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 10 Dec 2021 17:49:59 +0000 Subject: [PATCH 01/12] add scorecards config --- .../properties/scorecards.properties.json | 10 +++ code-scanning/scorecards.yml | 74 +++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 code-scanning/properties/scorecards.properties.json create mode 100644 code-scanning/scorecards.yml diff --git a/code-scanning/properties/scorecards.properties.json b/code-scanning/properties/scorecards.properties.json new file mode 100644 index 0000000..54362eb --- /dev/null +++ b/code-scanning/properties/scorecards.properties.json @@ -0,0 +1,10 @@ +{ + "name": "OSSF Scorecards supply-chain security analysis", + "creator": "Open Source Security Foundation (OpenSSF) - https://github.com/ossf", + "description": "Scorecards is a static analysis tool to assess the security posture of your project", + "iconName": "scorecards", + "categories": [ + "code-quality", "testing", + "supply-chain", "security", "scanning" + ] +} diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml new file mode 100644 index 0000000..23dc0c1 --- /dev/null +++ b/code-scanning/scorecards.yml @@ -0,0 +1,74 @@ +name: Scorecards supply-chain security +on: + # Only the default branch is supported. + branch_protection_rule: + schedule: + # Weekly on Saturdays. + - cron: '30 1 * * 6' + push: + branches: [ $default-branch ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + + steps: + - name: "Checkout code" + uses: actions/checkout@v1 + + - name: "Run analysis" + # TODO: update with a hash once we have a release. + uses: ossf/scorecard-action@feat/rempol + with: + results_file: results.sarif + results_format: sarif + # For the token, + # 1. Create a PAT token at https://github.com/settings/tokens/new + # with the following read permissions: + # - Note: OSSF Scorecard read-only token + # - Expiration: No expiration + # - Scopes: + # * repo > public_repo + # * admin:org > read:org + # * admin:repo_hook > read:repo_hook + # * write:discussion > read:discussion + # + # Create and copy the token. + # + # 2. Create a new repository secret at https://github.com///settings/secrets/actions + # with the following settings: + # - Name: SCORECARD_TOKEN + # - Value: the value of the token created in step 1 above. + repo_token: ${{ secrets.SCORECARD_TOKEN }} + # The Scorecard team runs a weekly scan of public GitHub repositories in order to track + # the overall security health of the open source ecosystem. + # Setting `publish_results: true` replaces the results of the team's weelky scans, + # helping us scale by cutting down on repeated workflows and GitHub API requests. + # This option is needed to enable badges on the repo. + publish_results: true + + # Upload the results as artifacts. + # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts + # This is optional. + - name: "Upload artifact" + # Note: scorecard will flag this line if not pinned by hash. + uses: actions/upload-artifact@v2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + # This is required to visualize the results on GitHub website. + - name: "Upload to code-scanning" + # Note: scorecard will flag this line if not pinned by hash. + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif From 0e50194de868de89ba9545e296fc254c13aaf4cc Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 10 Dec 2021 17:56:35 +0000 Subject: [PATCH 02/12] use hash --- code-scanning/scorecards.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 23dc0c1..709da7e 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -24,8 +24,7 @@ jobs: uses: actions/checkout@v1 - name: "Run analysis" - # TODO: update with a hash once we have a release. - uses: ossf/scorecard-action@feat/rempol + uses: ossf/scorecard-action@59f9117686133e93b60a8f23131f87089a076e1b with: results_file: results.sarif results_format: sarif From a00db4437c100515400041ae9ec3d00bc4e3f0b2 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 16 Dec 2021 18:25:53 +0000 Subject: [PATCH 03/12] comments --- code-scanning/properties/scorecards.properties.json | 5 +---- code-scanning/scorecards.yml | 3 +-- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/code-scanning/properties/scorecards.properties.json b/code-scanning/properties/scorecards.properties.json index 54362eb..d45274b 100644 --- a/code-scanning/properties/scorecards.properties.json +++ b/code-scanning/properties/scorecards.properties.json @@ -3,8 +3,5 @@ "creator": "Open Source Security Foundation (OpenSSF) - https://github.com/ossf", "description": "Scorecards is a static analysis tool to assess the security posture of your project", "iconName": "scorecards", - "categories": [ - "code-quality", "testing", - "supply-chain", "security", "scanning" - ] + "categories": ["Code Scanning"] } diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 709da7e..27ffc2f 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -3,8 +3,7 @@ on: # Only the default branch is supported. branch_protection_rule: schedule: - # Weekly on Saturdays. - - cron: '30 1 * * 6' + - cron: $cron-weekly push: branches: [ $default-branch ] From a894da71d16be3f3b970d067d20d12cc1f23042f Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 28 Dec 2021 17:49:56 +0000 Subject: [PATCH 04/12] pin actions --- code-scanning/scorecards.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 27ffc2f..88f47ee 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -20,7 +20,9 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@v1 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + with: + persist-credentials: false - name: "Run analysis" uses: ossf/scorecard-action@59f9117686133e93b60a8f23131f87089a076e1b @@ -56,8 +58,7 @@ jobs: # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts # This is optional. - name: "Upload artifact" - # Note: scorecard will flag this line if not pinned by hash. - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: SARIF file path: results.sarif @@ -66,7 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. # This is required to visualize the results on GitHub website. - name: "Upload to code-scanning" - # Note: scorecard will flag this line if not pinned by hash. - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 with: sarif_file: results.sarif From 9e49744dc2534cee2fbb4986f45287bfce589fb6 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 28 Dec 2021 18:13:49 +0000 Subject: [PATCH 05/12] url --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 88f47ee..b04a28d 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -42,7 +42,7 @@ jobs: # # Create and copy the token. # - # 2. Create a new repository secret at https://github.com///settings/secrets/actions + # 2. Create a new repository secret at https://github.com///settings/secrets/actions/new # with the following settings: # - Name: SCORECARD_TOKEN # - Value: the value of the token created in step 1 above. From f38127b0623a68a7a5faee31773d3adbb8bd3cfb Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 22:51:32 +0000 Subject: [PATCH 06/12] update text --- code-scanning/scorecards.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index b04a28d..c8f9993 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -48,10 +48,12 @@ jobs: # - Value: the value of the token created in step 1 above. repo_token: ${{ secrets.SCORECARD_TOKEN }} # The Scorecard team runs a weekly scan of public GitHub repositories in order to track - # the overall security health of the open source ecosystem. + # the overall security health of the open source ecosystem. The results are publicly + # available as described at https://github.com/ossf/scorecard#public-data. # Setting `publish_results: true` replaces the results of the team's weelky scans, # helping us scale by cutting down on repeated workflows and GitHub API requests. - # This option is needed to enable badges on the repo. + # This option is needed to enable badges on the repo. If you're installing the action + # on a private repo, set it to `publish_results: false` or do not set the value at all. publish_results: true # Upload the results as artifacts. From 48edda6acad5d9b718bedba3c63e8198f1f7c08f Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 22:56:18 +0000 Subject: [PATCH 07/12] reduce text --- code-scanning/scorecards.yml | 24 +++--------------------- 1 file changed, 3 insertions(+), 21 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index c8f9993..a647577 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -29,23 +29,8 @@ jobs: with: results_file: results.sarif results_format: sarif - # For the token, - # 1. Create a PAT token at https://github.com/settings/tokens/new - # with the following read permissions: - # - Note: OSSF Scorecard read-only token - # - Expiration: No expiration - # - Scopes: - # * repo > public_repo - # * admin:org > read:org - # * admin:repo_hook > read:repo_hook - # * write:discussion > read:discussion - # - # Create and copy the token. - # - # 2. Create a new repository secret at https://github.com///settings/secrets/actions/new - # with the following settings: - # - Name: SCORECARD_TOKEN - # - Value: the value of the token created in step 1 above. + # Read-only PAT token. To create it, follow the steps + # in https://github.com/ossf/scorecard-action/main#pat-token-creation repo_token: ${{ secrets.SCORECARD_TOKEN }} # The Scorecard team runs a weekly scan of public GitHub repositories in order to track # the overall security health of the open source ecosystem. The results are publicly @@ -56,9 +41,7 @@ jobs: # on a private repo, set it to `publish_results: false` or do not set the value at all. publish_results: true - # Upload the results as artifacts. - # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts - # This is optional. + # Upload the results as artifacts (optional). - name: "Upload artifact" uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: @@ -67,7 +50,6 @@ jobs: retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - # This is required to visualize the results on GitHub website. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 with: From 07be376c3a753560b12712d3e1c614031a2cf117 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 23:02:46 +0000 Subject: [PATCH 08/12] updates --- code-scanning/scorecards.yml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index a647577..b9efa21 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -29,16 +29,13 @@ jobs: with: results_file: results.sarif results_format: sarif - # Read-only PAT token. To create it, follow the steps - # in https://github.com/ossf/scorecard-action/main#pat-token-creation + # Read-only PAT token. To create it, + # follow the steps in https://github.com/ossf/scorecard-action/blob/main#pat-token-creation. repo_token: ${{ secrets.SCORECARD_TOKEN }} - # The Scorecard team runs a weekly scan of public GitHub repositories in order to track - # the overall security health of the open source ecosystem. The results are publicly - # available as described at https://github.com/ossf/scorecard#public-data. - # Setting `publish_results: true` replaces the results of the team's weelky scans, - # helping us scale by cutting down on repeated workflows and GitHub API requests. - # This option is needed to enable badges on the repo. If you're installing the action - # on a private repo, set it to `publish_results: false` or do not set the value at all. + # Publish the results to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action/blob/main#publishing-results. + # If you are installing the action on a private repo, set it to `publish_results: false` + # or do not set the value at all. publish_results: true # Upload the results as artifacts (optional). From 7c57e8a703516f380383aedcc599bac86c30b6e2 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 23:07:26 +0000 Subject: [PATCH 09/12] updates --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index b9efa21..209dc37 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -35,7 +35,7 @@ jobs: # Publish the results to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action/blob/main#publishing-results. # If you are installing the action on a private repo, set it to `publish_results: false` - # or do not set the value at all. + # or comment out the following line. publish_results: true # Upload the results as artifacts (optional). From 40772919fb6683dd374c85974123e699aff4872c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 23:11:08 +0000 Subject: [PATCH 10/12] updates --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 209dc37..dbfbecd 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -30,10 +30,10 @@ jobs: results_file: results.sarif results_format: sarif # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action/blob/main#pat-token-creation. + # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. repo_token: ${{ secrets.SCORECARD_TOKEN }} # Publish the results to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action/blob/main#publishing-results. + # https://github.com/ossf/scorecard-action#publishing-results. # If you are installing the action on a private repo, set it to `publish_results: false` # or comment out the following line. publish_results: true From b73f59a3e8a02531a5ca5623bab1ad5387d8072d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 4 Jan 2022 18:08:50 +0000 Subject: [PATCH 11/12] add icon --- icons/scorecards.svg | 365 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 365 insertions(+) create mode 100644 icons/scorecards.svg diff --git a/icons/scorecards.svg b/icons/scorecards.svg new file mode 100644 index 0000000..9db608c --- /dev/null +++ b/icons/scorecards.svg @@ -0,0 +1,365 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From d0dba5262b9d520abb5b6a16c3c7631df3414a9d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 4 Jan 2022 18:13:24 +0000 Subject: [PATCH 12/12] use v0.0.1 --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index dbfbecd..8b2346a 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -25,7 +25,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@59f9117686133e93b60a8f23131f87089a076e1b + uses: ossf/scorecard-action@175f59783fa96e44dd6fa96619ab7bdacab56b5c # v0.0.1 with: results_file: results.sarif results_format: sarif