Files
starter-workflows/code-scanning/scorecards.yml
T
laurentsimon 0e50194de8 use hash
2022-01-04 18:26:32 +00:00

74 lines
2.7 KiB
YAML

name: Scorecards supply-chain security
on:
# Only the default branch is supported.
branch_protection_rule:
schedule:
# Weekly on Saturdays.
- cron: '30 1 * * 6'
push:
branches: [ $default-branch ]
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecards analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
steps:
- name: "Checkout code"
uses: actions/checkout@v1
- name: "Run analysis"
uses: ossf/scorecard-action@59f9117686133e93b60a8f23131f87089a076e1b
with:
results_file: results.sarif
results_format: sarif
# For the token,
# 1. Create a PAT token at https://github.com/settings/tokens/new
# with the following read permissions:
# - Note: OSSF Scorecard read-only token
# - Expiration: No expiration
# - Scopes:
# * repo > public_repo
# * admin:org > read:org
# * admin:repo_hook > read:repo_hook
# * write:discussion > read:discussion
#
# Create and copy the token.
#
# 2. Create a new repository secret at https://github.com/<org>/<repo>/settings/secrets/actions
# with the following settings:
# - Name: SCORECARD_TOKEN
# - Value: the value of the token created in step 1 above.
repo_token: ${{ secrets.SCORECARD_TOKEN }}
# The Scorecard team runs a weekly scan of public GitHub repositories in order to track
# the overall security health of the open source ecosystem.
# Setting `publish_results: true` replaces the results of the team's weelky scans,
# helping us scale by cutting down on repeated workflows and GitHub API requests.
# This option is needed to enable badges on the repo.
publish_results: true
# Upload the results as artifacts.
# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
# This is optional.
- name: "Upload artifact"
# Note: scorecard will flag this line if not pinned by hash.
uses: actions/upload-artifact@v2
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
# This is required to visualize the results on GitHub website.
- name: "Upload to code-scanning"
# Note: scorecard will flag this line if not pinned by hash.
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif