Added the scorecard github action and its badge #1071

harshitasao · 2024-07-03T20:04:33Z

PR to add the Scorecard GitHub Action and its badge in the README file.

embano1 · 2024-07-18T09:05:48Z

.github/workflows/scorecards.yml

+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all


Looks pretty broad, assuming this is from the official and vetted scorecard workflow used in other projects and signed off?

@harshitasao thx for your comments. Can you please also let me know your thoughts on this one?

Sorry @embano1 for the delayed response. Please read https://github.com/ossf/scorecard-action?tab=readme-ov-file#global-workflow-restrictions

embano1 · 2024-07-18T09:07:55Z

.github/workflows/scorecards.yml

+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1


Regarding those # <version> comments, will dependabot also update them, otherwise they'll get stale so perhaps exclude them?

Dependabot updates the # <version> comments.

embano1 · 2024-07-18T09:08:55Z

.github/workflows/scorecards.yml

+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"


Question: will uploading succeed with the default read-only permissions used in this workflow?

I believe so, as it is successfully uploading for other projects that are using this workflow.

embano1

@harshitasao I checked the output of a run and it seems that it incorrectly triggers Ruby Gem vulns because we use Ruby (Jekyll) for our docs gen - I tried understanding the action and toml configuration but it seems there's no easy way to say "only scan the following folders/go.mod files - at least this is not clear from the docs). Can you please update the PR with a configuration which only scans the repo for Go-related vulns, to avoid reporting unrelated alerts for this specific SDK?

Signed-off-by: harshitasao <[email protected]>

harshitasao requested a review from a team as a code owner July 3, 2024 20:04

duglin force-pushed the issue-1067 branch from 6e116a1 to 40a983e Compare July 16, 2024 12:13

embano1 reviewed Jul 18, 2024

View reviewed changes

harshitasao requested a review from embano1 August 15, 2024 19:38

harshitasao mentioned this pull request Aug 16, 2024

Improvement of OpenSSF Scorecard Score #1087

Open

7 tasks

embano1 force-pushed the issue-1067 branch from 40a983e to 663a6fb Compare October 22, 2024 13:29

embano1 reviewed Oct 22, 2024

View reviewed changes

added the scorecard github action and its badge

e17f4e1

Signed-off-by: harshitasao <[email protected]>

embano1 force-pushed the issue-1067 branch from 663a6fb to e17f4e1 Compare October 25, 2024 07:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Added the scorecard github action and its badge #1071

Added the scorecard github action and its badge #1071

harshitasao commented Jul 3, 2024

embano1 Jul 18, 2024

embano1 Jul 20, 2024

harshitasao Aug 15, 2024

embano1 Jul 18, 2024

harshitasao Jul 19, 2024

embano1 Jul 18, 2024

harshitasao Jul 19, 2024

embano1 left a comment

Added the scorecard github action and its badge #1071

Are you sure you want to change the base?

Added the scorecard github action and its badge #1071

Conversation

harshitasao commented Jul 3, 2024

embano1 Jul 18, 2024

Choose a reason for hiding this comment

embano1 Jul 20, 2024

Choose a reason for hiding this comment

harshitasao Aug 15, 2024

Choose a reason for hiding this comment

embano1 Jul 18, 2024

Choose a reason for hiding this comment

harshitasao Jul 19, 2024

Choose a reason for hiding this comment

embano1 Jul 18, 2024

Choose a reason for hiding this comment

harshitasao Jul 19, 2024

Choose a reason for hiding this comment

embano1 left a comment

Choose a reason for hiding this comment