From f29d8471c8075c9a602c34d551a968c7a8a08de9 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Tue, 22 Nov 2022 13:42:34 +0200
Subject: [PATCH] workflows: Add Scorecards workflow

This is a modifed version of the workflow from the project itself:
* Not using personal access tokens because I believe they are a
  security issue (this means Branch-Protection check will be incorrect)
* Not uploading results to actions cache: Maybe there's a point but I
  don't see it as the SARIF files are not very human readable

This should give us some code scanning alerts in the security tab on Github.
This is not really what I'm interested in though so I've enabled the upload
to https://api.securityscorecards.dev/. The results json on there is not
exactly readable but it is good enough to check what the current results
are -- and deps.dev should use those results after some delay I believe.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 .github/workflows/scorecards.yml | 39 ++++++++++++++++++++++++++++++++
 README.md                        |  1 +
 2 files changed, 40 insertions(+)
 create mode 100644 .github/workflows/scorecards.yml

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
new file mode 100644
index 00000000..0d5c2a71
--- /dev/null
+++ b/.github/workflows/scorecards.yml
@@ -0,0 +1,39 @@
+name: Scorecards analysis
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '21 6 * * 1'
+  push:
+    branches: [ develop ]
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # for uploading to code-scanning dashboard
+      id-token: write # for signing results
+      actions: read
+      contents: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d
+        with:
+          results_file: results.sarif
+          # sarif format required by upload-sarif action
+          results_format: sarif
+          # "repo_token" not set because personal access tokens are dangerous.
+          # This means Branch-Protection check will not have correct results.
+          publish_results: true
+
+      - name: "Upload to code-scanning dashboard"
+        uses: github/codeql-action/upload-sarif@8aff97f12c99086bdb92ff62ae06dbbcdf07941b
+        with:
+          sarif_file: results.sarif
diff --git a/README.md b/README.md
index 8c305611..fd9c4929 100644
--- a/README.md
+++ b/README.md
@@ -5,6 +5,7 @@
 [![Docs](https://readthedocs.org/projects/theupdateframework/badge/)](https://theupdateframework.readthedocs.io/)
 [![CII](https://bestpractices.coreinfrastructure.org/projects/1351/badge)](https://bestpractices.coreinfrastructure.org/projects/1351)
 [![PyPI](https://img.shields.io/pypi/v/tuf)](https://pypi.org/project/tuf/)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/theupdateframework/python-tuf/badge)](https://api.securityscorecards.dev/projects/github.com/theupdateframework/python-tuf)
 
 ----------------------------
 [The Update Framework (TUF)](https://theupdateframework.io/) is a framework for