Skip to content

ci: add OSSF Scorecard workflow#15

Merged
aksOps merged 1 commit into
mainfrom
ci-scorecard
Apr 22, 2026
Merged

ci: add OSSF Scorecard workflow#15
aksOps merged 1 commit into
mainfrom
ci-scorecard

Conversation

@aksOps

@aksOps aksOps commented Apr 22, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds .github/workflows/scorecard.yml running weekly + on push to main
  • Publishes results to scorecard.dev, populating the existing OpenSSF Score badge
  • Uploads SARIF to Code Scanning for visibility in the Security tab
  • All actions pinned by commit SHA per scorecard best practice

Test plan

  • Workflow passes lint (valid YAML, correct permissions)
  • CI checks pass on PR
  • After merge: scorecard runs on main, badge populates within a few minutes

Summary by CodeRabbit

  • Chores
    • Added automated security analysis workflow that runs OSSF Scorecard checks on the repository, generates security assessment reports, and publishes findings to GitHub Code Scanning for centralized vulnerability tracking.

Publishes weekly scorecard results to scorecard.dev, populating the
OpenSSF Score badge in README. Actions pinned by SHA per scorecard's
own recommendation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Apr 22, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

A new GitHub Actions workflow is created to execute OSSF Scorecard security analysis on the repository. The workflow generates SARIF output, uploads results to GitHub Code Scanning for tracking, and stores scorecard results as a temporary artifact.

Changes

Cohort / File(s) Summary
OSSF Scorecard Workflow
.github/workflows/scorecard.yml
Introduces GitHub Actions workflow that runs OSSF Scorecard analysis, generates SARIF output, publishes results to Code Scanning, and archives artifacts for 5 days.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A scorecard workflow hops into place,
Security checks at a rapid pace,
SARIF results now safely stored,
Code Scanning alerts fully poured,
Safety measured, quality soared!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'ci: add OSSF Scorecard workflow' directly and clearly describes the main change: adding a GitHub Actions workflow for OSSF Scorecard analysis.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci-scorecard

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/scorecard.yml (1)

35-45: Consider adding conditional execution for upload steps.

The artifact and SARIF upload steps will fail if the scorecard step doesn't produce results.sarif. Consider adding if: always() or if: success() || failure() to these steps if you want diagnostics even when scorecard fails, or keep the current behavior if you prefer fail-fast.

📝 Optional: Add conditional execution

If you want uploads to run even if scorecard encounters issues:

       - name: upload artifact
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        if: always()
         with:
           name: scorecard-results
           path: results.sarif
           retention-days: 5
 
       - name: upload sarif to code scanning
         uses: github/codeql-action/upload-sarif@865f5f5c36632f18690a3d569fa0a764f2da0c3e # v3
+        if: always()
         with:
           sarif_file: results.sarif
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/scorecard.yml around lines 35 - 45, The upload steps
"upload artifact" and "upload sarif to code scanning" should be made conditional
so they don't fail when scorecard doesn't produce results.sarif; update each
step (the ones with name: upload artifact and name: upload sarif to code
scanning) to include an if: conditional such as if: always() or if: success() ||
failure() depending on whether you want uploads to run on all outcomes or only
non-canceled runs.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/scorecard.yml:
- Around line 35-45: The upload steps "upload artifact" and "upload sarif to
code scanning" should be made conditional so they don't fail when scorecard
doesn't produce results.sarif; update each step (the ones with name: upload
artifact and name: upload sarif to code scanning) to include an if: conditional
such as if: always() or if: success() || failure() depending on whether you want
uploads to run on all outcomes or only non-canceled runs.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2926841c-c453-49b3-8efd-a36303c933a7

📥 Commits

Reviewing files that changed from the base of the PR and between 4c1cf16 and 22036e7.

📒 Files selected for processing (1)
  • .github/workflows/scorecard.yml

@aksOps aksOps merged commit 3d3a8a5 into main Apr 22, 2026
9 checks passed
@aksOps aksOps deleted the ci-scorecard branch April 22, 2026 23:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant