chore: Add OSSF scorecard (#4630)

npalm · web-flow · commit 55beeffc99f6 · 2025-06-26T11:47:26.000+02:00
diff --git a/.ci/Dockerfile b/.ci/Dockerfile
@@ -1,5 +1,5 @@
 #syntax=docker/dockerfile:1.2
-FROM node:20 as build
+FROM node@sha256:0c0734eb7051babbb3e95cd74e684f940552b31472152edf0bb23e54ab44a0d7 as build
 WORKDIR /lambdas
 RUN apt-get update \
         && apt-get install -y zip \
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -1,2 +1 @@
-ARG VARIANT="20-bullseye"
-FROM mcr.microsoft.com/vscode/devcontainers/typescript-node:0-${VARIANT}
+FROM mcr.microsoft.com/vscode/devcontainers/typescript-node@sha256:acdce1045a2ddce4c66846d5cd09adf746d157fce9233124e4925b647f192b2e
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -51,3 +51,23 @@ updates:
     commit-message:
       prefix: "fix(lambda)"
       prefix-development: "chore(lambda)"
+
+  - package-ecosystem: "docker"
+    directory: "/.ci/Dockerfile"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "chore(docker)"
+
+  - package-ecosystem: "docker"
+    directory: "/.devcontainer/Dockerfile"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "chore(devcontainer)"
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
@@ -0,0 +1,48 @@
+name: OSSF Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '44 19 * * 2'
+  workflow_dispatch:
+  push:
+    branches: [ "main" ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e
+        with:
+          sarif_file: results.sarif
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # Terraform module Self-Hosted Scalable GitHub Actions runners on AWS.
 
-[![docs](https://img.shields.io/badge/docs-runners-blue.svg)](https://github-aws-runners.github.io/terraform-aws-github-runner) [![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-blue.svg)](https://github.com/jonico/awesome-runners) [![Terraform registry](https://img.shields.io/github/v/release/github-aws-runners/terraform-aws-github-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/github-aws-runners/github-runner/aws/) [![Terraform checks](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/terraform.yml/badge.svg)](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/terraform.yml) [![Lambdas](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/lambda.yml/badge.svg)](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/lambda.yml)
+[![docs](https://img.shields.io/badge/docs-runners-blue.svg)](https://github-aws-runners.github.io/terraform-aws-github-runner) [![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-blue.svg)](https://github.com/jonico/awesome-runners) [![Terraform registry](https://img.shields.io/github/v/release/github-aws-runners/terraform-aws-github-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/github-aws-runners/github-runner/aws/) [![Terraform checks](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/terraform.yml/badge.svg)](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/terraform.yml) [![Lambdas](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/lambda.yml/badge.svg)](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/lambda.yml) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/github-aws-runners/terraform-aws-github-runner/badge)](https://scorecard.dev/viewer/?uri=github.com/github-aws-runners/terraform-aws-github-runner)
 
 > 📢 We're moving `terraform-aws-github-runner` to a new organization https://github.com/github-aws-runners in January to foster growth and community ownership! 🎉 Join us on our new [Discord server](https://discord.gg/bxgXW8jJGh) for discussions and updates. Please see #4298 for more details.
 
diff --git a/lambdas/.nvmrc b/lambdas/.nvmrc
@@ -1 +1 @@
-v20
+v22

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1 @@`
`1`		`-ARG VARIANT="20-bullseye"`
`2`		`-FROM mcr.microsoft.com/vscode/devcontainers/typescript-node:0-${VARIANT}`
	`1`	`+FROM mcr.microsoft.com/vscode/devcontainers/typescript-node@sha256:acdce1045a2ddce4c66846d5cd09adf746d157fce9233124e4925b647f192b2e`