python-tuf/.github/workflows/scorecards.yml
Jussi Kukkonen f29d8471c8 workflows: Add Scorecards workflow
This is a modifed version of the workflow from the project itself:
* Not using personal access tokens because I believe they are a
  security issue (this means Branch-Protection check will be incorrect)
* Not uploading results to actions cache: Maybe there's a point but I
  don't see it as the SARIF files are not very human readable

This should give us some code scanning alerts in the security tab on Github.
This is not really what I'm interested in though so I've enabled the upload
to https://api.securityscorecards.dev/. The results json on there is not
exactly readable but it is good enough to check what the current results
are -- and deps.dev should use those results after some delay I believe.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2022-11-22 18:15:56 +02:00

39 lines
1.1 KiB
YAML

name: Scorecards analysis
on:
branch_protection_rule:
schedule:
- cron: '21 6 * * 1'
push:
branches: [ develop ]
workflow_dispatch:
permissions: {}
jobs:
analysis:
name: Scorecards analysis
runs-on: ubuntu-latest
permissions:
security-events: write # for uploading to code-scanning dashboard
id-token: write # for signing results
actions: read
contents: read
steps:
- name: "Checkout code"
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- name: "Run analysis"
uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d
with:
results_file: results.sarif
# sarif format required by upload-sarif action
results_format: sarif
# "repo_token" not set because personal access tokens are dangerous.
# This means Branch-Protection check will not have correct results.
publish_results: true
- name: "Upload to code-scanning dashboard"
uses: github/codeql-action/upload-sarif@8aff97f12c99086bdb92ff62ae06dbbcdf07941b
with:
sarif_file: results.sarif