-
Notifications
You must be signed in to change notification settings - Fork 224
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added the scorecard github action and its badge #1071
base: main
Are you sure you want to change the base?
Conversation
branches: [ "main" ] | ||
|
||
# Declare default permissions as read only. | ||
permissions: read-all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks pretty broad, assuming this is from the official and vetted scorecard workflow used in other projects and signed off?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@harshitasao thx for your comments. Can you please also let me know your thoughts on this one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry @embano1 for the delayed response. Please read https://github.com/ossf/scorecard-action?tab=readme-ov-file#global-workflow-restrictions
|
||
steps: | ||
- name: "Checkout code" | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regarding those # <version>
comments, will dependabot also update them, otherwise they'll get stale so perhaps exclude them?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dependabot updates the # <version>
comments.
|
||
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF | ||
# format to the repository Actions tab. | ||
- name: "Upload artifact" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: will uploading succeed with the default read-only permissions used in this workflow?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe so, as it is successfully uploading for other projects that are using this workflow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@harshitasao I checked the output of a run and it seems that it incorrectly triggers Ruby Gem vulns because we use Ruby (Jekyll) for our docs gen - I tried understanding the action and toml
configuration but it seems there's no easy way to say "only scan the following folders/go.mod
files - at least this is not clear from the docs). Can you please update the PR with a configuration which only scans the repo for Go-related vulns, to avoid reporting unrelated alerts for this specific SDK?
Signed-off-by: harshitasao <[email protected]>
PR to add the Scorecard GitHub Action and its badge in the README file.
Fixes #1067