From 0b65e817d88fde152471d410b84aefde9873b76d Mon Sep 17 00:00:00 2001 From: Lucas Rodriguez Date: Fri, 13 Oct 2023 14:16:44 -0500 Subject: [PATCH] Add OpenSSF Scorecard workflow --- .github/workflows/release.yml | 50 +++++++++++++++++++++++++++++++++++ README.md | 1 - 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..fc24d9a --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,50 @@ +name: Scorecards supply-chain security +on: + # Only the default branch is supported. + branch_protection_rule: + schedule: + - cron: '30 1 * * 6' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Used to receive a badge. + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 + with: + results_file: results.sarif + results_format: sarif + repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7 + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index 3dbf42c..3b76f40 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ # Zarf Init Package for AWS - DevSecOps for Air Gap [![Latest Release](https://img.shields.io/github/v/release/defenseunicorns/zarf-init-aws)](https://github.com/defenseunicorns/zarf-init-aws/releases) -[![Go version](https://img.shields.io/github/go-mod/go-version/defenseunicorns/zarf-init-aws?filename=go.mod)](https://go.dev/) [![Build Status](https://img.shields.io/github/actions/workflow/status/defenseunicorns/zarf-init-aws/release.yml)](https://github.com/defenseunicorns/zarf-init-aws/actions/workflows/release.yml) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/zarf-init-aws/badge)](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/zarf-init-aws)