Skip to content

👷 support for OpenSSF Scorecard #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gimlichael merged 7 commits into from
Nov 15, 2024
Merged

👷 support for OpenSSF Scorecard #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c344bf8
:construction_worker: support for OpenSSF Scorecard
gimlichael Nov 15, 2024
7924e05
:speech_balloon: updated community health pages
gimlichael Nov 15, 2024
e298d60
ignore markdown
gimlichael Nov 15, 2024
11c62fa
:construction_worker: added paths-ignore on push
gimlichael Nov 15, 2024
34793d0
include branches again
gimlichael Nov 15, 2024
71ca5bc
fix
gimlichael Nov 15, 2024
f88c8cb
cleanup
gimlichael Nov 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 13 additions & 4 deletions .github/workflows/pipelines.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,19 @@ on:
pull_request:
branches: [main]
paths-ignore:
- .codecov
- .docfx
- .github
- .nuget
- .codecov/**
- .docfx/**
- .github/**
- .nuget/**
- '**.md'
push:
branches: [main]
paths-ignore:
- .codecov/**
- .docfx/**
- .github/**
- .nuget/**
- '**.md'
workflow_dispatch:
inputs:
configuration:
Expand Down
42 changes: 42 additions & 0 deletions .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Scorecard supply-chain security
on:
branch_protection_rule:
schedule:
- cron: '45 17 * * 2'
push:
branches: [ "main" ]

permissions: read-all

jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
security-events: write
id-token: write

steps:
- name: "Checkout code"
uses: actions/checkout@v4
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@v2
with:
results_file: results.sarif
results_format: sarif
publish_results: true

- name: "Upload artifact"
uses: actions/upload-artifact@4
with:
name: SARIF file
path: results.sarif
retention-days: 5

- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
Comment on lines +39 to +42
Copy link

@coderabbitai coderabbitai bot Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Pin CodeQL action to specific SHA

The CodeQL action is using a major version tag (@V3) which could lead to unexpected changes. Consider pinning to a specific SHA for better security and stability.

-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
with:
sarif_file: results.sarif

2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

# Extensions for xUnit API by Codebelt

[![xUnit Ext. CI/CD Pipeline](https://github.com/codebeltnet/xunit/actions/workflows/pipelines.yml/badge.svg)](https://github.com/codebeltnet/xunit/actions/workflows/pipelines.yml) [![codecov](https://codecov.io/gh/codebeltnet/xunit/graph/badge.svg?token=BN2UhFM3bb)](https://codecov.io/gh/codebeltnet/xunit) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=alert_status)](https://sonarcloud.io/dashboard?id=xunit) [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=sqale_rating)](https://sonarcloud.io/dashboard?id=xunit) [![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=reliability_rating)](https://sonarcloud.io/dashboard?id=xunit) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=security_rating)](https://sonarcloud.io/dashboard?id=xunit)
[![xUnit Ext. CI/CD Pipeline](https://github.com/codebeltnet/xunit/actions/workflows/pipelines.yml/badge.svg)](https://github.com/codebeltnet/xunit/actions/workflows/pipelines.yml) [![codecov](https://codecov.io/gh/codebeltnet/xunit/graph/badge.svg?token=BN2UhFM3bb)](https://codecov.io/gh/codebeltnet/xunit) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=alert_status)](https://sonarcloud.io/dashboard?id=xunit) [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=sqale_rating)](https://sonarcloud.io/dashboard?id=xunit) [![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=reliability_rating)](https://sonarcloud.io/dashboard?id=xunit) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=security_rating)](https://sonarcloud.io/dashboard?id=xunit) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/codebeltnet/xunit/badge)](https://scorecard.dev/viewer/?uri=github.com/codebeltnet/xunit)

An open-source project (MIT license) that targets and complements the [xUnit.net](https://xunit.net/) test platform. It provides a uniform and convenient way of doing unit test for all project types in .NET.

Expand Down