Added the scorecard github action and its badge#1071
Added the scorecard github action and its badge#1071harshitasao wants to merge 1 commit intocloudevents:mainfrom
Conversation
| branches: [ "main" ] | ||
|
|
||
| # Declare default permissions as read only. | ||
| permissions: read-all |
There was a problem hiding this comment.
Looks pretty broad, assuming this is from the official and vetted scorecard workflow used in other projects and signed off?
There was a problem hiding this comment.
@harshitasao thx for your comments. Can you please also let me know your thoughts on this one?
There was a problem hiding this comment.
Sorry @embano1 for the delayed response. Please read https://github.com/ossf/scorecard-action?tab=readme-ov-file#global-workflow-restrictions
|
|
||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 |
There was a problem hiding this comment.
Regarding those # <version> comments, will dependabot also update them, otherwise they'll get stale so perhaps exclude them?
There was a problem hiding this comment.
Dependabot updates the # <version> comments.
|
|
||
| # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF | ||
| # format to the repository Actions tab. | ||
| - name: "Upload artifact" |
There was a problem hiding this comment.
Question: will uploading succeed with the default read-only permissions used in this workflow?
There was a problem hiding this comment.
I believe so, as it is successfully uploading for other projects that are using this workflow.
embano1
left a comment
embano1
left a comment
There was a problem hiding this comment.
@harshitasao I checked the output of a run and it seems that it incorrectly triggers Ruby Gem vulns because we use Ruby (Jekyll) for our docs gen - I tried understanding the action and toml configuration but it seems there's no easy way to say "only scan the following folders/go.mod files - at least this is not clear from the docs). Can you please update the PR with a configuration which only scans the repo for Go-related vulns, to avoid reporting unrelated alerts for this specific SDK?
Signed-off-by: harshitasao <harshitasao@gmail.com>
3 participants
PR to add the Scorecard GitHub Action and its badge in the README file.
Fixes #1067