diff options
| author |  Yong Tang <yong.tang.github@outlook.com>
| 2022-02-28 09:02:03 -0800 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2022-02-28 12:02:03 -0500 |
| commit | 402c08fea0b7d86960429625c58e87d4c9fc2956 (patch) | |
| tree | f6e1c71ff969328170a6093f7f5b3850be9a177d | |
| parent | ef654ba6de327dd57e8a4427080b75db37bcf9e5 (diff) | |
| download | coredns-402c08fea0b7d86960429625c58e87d4c9fc2956.tar.gz coredns-402c08fea0b7d86960429625c58e87d4c9fc2956.tar.zst coredns-402c08fea0b7d86960429625c58e87d4c9fc2956.zip | |
Add OSSF Security Scoreboard Scan (#5208)
* Add OSSF Security Scoreboard Scan
This PR adds OSSF's Security Scoreboard Scan, to help tighten CoreDNS's security practice.
OSSF Scoreboard is recommended by GitHub. The result will show up in project's "Code Scanning Alerts" (together with existing CodeQL scan we already have).
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
| -rw-r--r-- | .github/workflows/scorecards.yml | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 000000000..4dc6f2900 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,55 @@ +name: Scorecards supply-chain security +on: + # Only the default branch is supported. + branch_protection_rule: + schedule: + - cron: '36 10 * * 3' + push: + branches: [ master ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + actions: read + contents: read + + steps: + - name: "Checkout code" + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2 + with: + results_file: results.sarif + results_format: sarif + # Read-only PAT token. To create it, + # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. + repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + # Publish the results to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, + # regardless of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). + - name: "Upload artifact" + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 + with: + sarif_file: results.sarif |