Skip to content

Run Scorecard code scan #66

Run Scorecard code scan

Run Scorecard code scan #66

# Summary: workflow for OSSF Scorecard (https://github.com/ossf/scorecard).
#
# Scorecard is an automated tool that assesses a number of important heuristics
# associated with software security and assigns each check a score of 0-10. The
# use of Scorecard is suggested in Google's internal GitHub guidance
# (go/github-docs).
#
# Scorecard creates a report page at the following URL (for a repo ORG/REPO):
# https://scorecard.dev/viewer/?uri=github.com/ORG/REPO
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
name: Scorecard code scan
run-name: Run Scorecard code scan
on:
schedule:
- cron: '19 20 * * 6'
# Allow manual invocation.
workflow_dispatch:
# Declare default permissions as read only.
permissions: read-all
# Cancel any previously-started but still active runs on the same branch.
concurrency:
cancel-in-progress: true
group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
jobs:
scorecard:
name: Perform Scorecard analysis
runs-on: ubuntu-22.04
timeout-minutes: 10
permissions:
# Needed to upload the results to the code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Run Scorecard analysis
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
# Save the results
results_file: results.sarif
results_format: sarif
# Publish results to OpenSSF REST API.
# See https://github.com/ossf/scorecard-action#publishing-results.
publish_results: true
- name: Upload results to code-scanning dashboard
uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v3
with:
sarif_file: results.sarif