-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create scorecard.yml #521
Create scorecard.yml #521
Conversation
Signed-off-by: David Wertenteil <[email protected]>
PR Analysis
PR Feedback
How to use
|
Signed-off-by: David Wertenteil <[email protected]>
Summary:
|
Summary:
|
PR Type:
Enhancement
PR Description:
This PR introduces a new GitHub Actions workflow for Scorecard supply-chain security analysis. The workflow is triggered on branch protection rule changes, on a weekly schedule, and on pushes to the master branch. It includes steps to checkout the code, run the Scorecard analysis, upload the analysis results as an artifact, and upload the results to GitHub's code scanning dashboard.
PR Main Files Walkthrough:
files:
.github/workflows/scorecard.yml
: The file is a new addition that defines a GitHub Actions workflow for Scorecard supply-chain security analysis. The workflow is configured to run on ubuntu-latest and has read-only permissions by default. It uses actions/checkout to checkout the code and ossf/scorecard-action to run the Scorecard analysis. The results of the analysis are saved in a SARIF file and uploaded as an artifact. Finally, the results are also uploaded to GitHub's code scanning dashboard using github/codeql-action/upload-sarif.User Description:
Overview