-
Notifications
You must be signed in to change notification settings - Fork 1k
44 lines (37 loc) · 1.25 KB
/
scorecard.yml
File metadata and controls
44 lines (37 loc) · 1.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
name: OSSF Scorecard
on:
branch_protection_rule:
schedule:
- cron: '33 11 * * 2' # Every Tuesday at 11:33 AM UTC
push:
branches: [ main ]
permissions: read-all
concurrency: # avoid overlapping runs
group: scorecard-${{ github.ref }}
cancel-in-progress: true
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
security-events: write # upload SARIF to code-scanning
id-token: write # publish results for the badge
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
persist-credentials: false
- name: Run Scorecard
uses: ossf/scorecard-action@f35c64557cf912815708bb1126d9948f3e459487
with:
results_file: results.sarif
results_format: sarif
publish_results: true # enables the public badge
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
with:
sarif_file: results.sarif