Add OpenSSF Scorecard gating action #2
Conversation
Summary of ChangesHello @cgwalters, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces a new GitHub Action aimed at bolstering the security posture of the repository by integrating OpenSSF Scorecard checks directly into the CI/CD pipeline. The action is designed to proactively identify and prevent any regression in the project's OpenSSF Scorecard rating by evaluating each commit within a pull request against a defined baseline. This ensures that security standards are consistently maintained and any potential vulnerabilities or deviations are caught early in the development cycle. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
Adds a stub workflow that calls bootc-dev/actions/openssf-scorecard to gate PRs on scorecard regressions. Also adds scorecard to devenv images for local development, and a renovate custom manager for VERSION= patterns in YAML files. Requires: bootc-dev/actions#2 Assisted-by: OpenCode (Claude Sonnet 4) Signed-off-by: Colin Walters <walters@verbum.org>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new composite GitHub Action to gate pull requests based on OpenSSF Scorecard regressions. While the implementation is clean, a medium-severity command injection vulnerability was identified in openssf-scorecard/action.yml. The git checkout command uses user-controlled inputs without proper sanitization, which could allow an attacker to pass malicious options. The provided suggestions address this by ensuring user inputs are treated as arguments and also include improvements for readability.
cgwalters
force-pushed
the
openssf
branch
2 times, most recently
from
a6e8eda to
f0a2a24
Compare
Add a GitHub Action that checks for OpenSSF Scorecard regressions across commits in a PR. The action fails if any commit's score drops below the baseline. Assisted-by: OpenCode (claude-sonnet-4-20250514) Signed-off-by: Colin Walters <walters@verbum.org>
jeckersb
left a comment
jeckersb
left a comment
There was a problem hiding this comment.
Looks sane at a glance, I'm not familiar with any of this but it's low-risk just as a gating action so let's see how it goes!
|
Oh apparently I don't have write access to this repo 😿 |
Does it work now? |
Adds a stub workflow that calls bootc-dev/actions/openssf-scorecard to gate PRs on scorecard regressions. Also adds scorecard to devenv images for local development, and a renovate custom manager for VERSION= patterns in YAML files. Requires: bootc-dev/actions#2 Assisted-by: OpenCode (Claude Sonnet 4) Signed-off-by: Colin Walters <walters@verbum.org>
Yep I was able to approve+merge #4 🥳 |
2 participants
A while ago I was working on goose and found they'd committed binary files into their git repo, and worked on a PR to block that:
block/goose#6031
However at the time I'd investigated OpenSSF (which has a check for this among other things) but didn't quite get it to work.
After some iteration with my agent, this model seems to work well. That said I think what I'd like to do is propose something like this to upstream OpenSSF - their default action doesn't check each commit for example, but we want to deny binaries in all commits.
This also implements a model where the check only fails if the score regresses.
Assisted-by: OpenCode (Opus 4.5)