Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added the scorecard github action and its badge #1071

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

harshitasao
Copy link
Contributor

PR to add the Scorecard GitHub Action and its badge in the README file.

Fixes #1067

@harshitasao harshitasao requested a review from a team as a code owner July 3, 2024 20:04
branches: [ "main" ]

# Declare default permissions as read only.
permissions: read-all
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty broad, assuming this is from the official and vetted scorecard workflow used in other projects and signed off?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@harshitasao thx for your comments. Can you please also let me know your thoughts on this one?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


steps:
- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding those # <version> comments, will dependabot also update them, otherwise they'll get stale so perhaps exclude them?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot updates the # <version> comments.


# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: will uploading succeed with the default read-only permissions used in this workflow?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe so, as it is successfully uploading for other projects that are using this workflow.

Copy link
Member

@embano1 embano1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@harshitasao I checked the output of a run and it seems that it incorrectly triggers Ruby Gem vulns because we use Ruby (Jekyll) for our docs gen - I tried understanding the action and toml configuration but it seems there's no easy way to say "only scan the following folders/go.mod files - at least this is not clear from the docs). Can you please update the PR with a configuration which only scans the repo for Go-related vulns, to avoid reporting unrelated alerts for this specific SDK?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Enable OpenSSF Scorecard to enhance security practices across the project
2 participants