Merge pull request #71 from step-security/update-scorecards

varunsh-coder · web-flow · commit fbdb76ab1a64 · 2021-12-02T15:57:07.000-08:00
Update scorecard-analysis.yml
diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml
@@ -11,12 +11,16 @@ permissions: read-all
 
 jobs:
   analysis:
+    permissions:
+      actions: read # for ossf/scorecard-actions/analyze to check for publishing workflows
+      checks: read # for ossf/scorecard-actions/analyze to check for SAST tool in check runs
+      contents: read # for ossf/scorecard-actions/analyze to list releases
+      issues: read # for ossf/scorecard-actions/analyze to check if repo is maintained
+      pull-requests: read # for ossf/scorecard-actions/analyze to check if PRs are reviewed
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      statuses: read # for ossf/scorecard-actions/analyze to check for CI tests in PRs
     name: Scorecard analysis
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      security-events: write
-
     steps:
       - uses: step-security/harden-runner@917f7d59f22e82a5ddcaef409923426fd7aa6327
       - name: "Checkout code"
@@ -42,4 +46,4 @@ jobs:
       - name: "Upload SARIF results"
         uses: github/codeql-action/upload-sarif@e095058bfa09de8070f94e98f5dc059531bc6235
         with:
-          sarif_file: results.sarif
+          sarif_file: results.sarif
