Skip to content

feat(ci): add OSSF Scorecard and Gitleaks secret scanning#385

Merged
rygel merged 2 commits intodevelopfrom
feat/ci-caching-and-codeql-on-push
Mar 20, 2026
Merged

feat(ci): add OSSF Scorecard and Gitleaks secret scanning#385
rygel merged 2 commits intodevelopfrom
feat/ci-caching-and-codeql-on-push

Conversation

@rygel
Copy link
Copy Markdown
Owner

@rygel rygel commented Mar 20, 2026

Summary

  • Adds OSSF Scorecard analysis (scorecard.yml)
  • Adds Gitleaks secret scanning (secret-scanning.yml)

scorecard.yml

Runs OSSF Scorecard which grades the repo's supply-chain security practices (pinned actions, branch protection, SAST, code review, etc.) and publishes a public badge/score. Runs on push to main and weekly. Uploads SARIF to Code Scanning.

secret-scanning.yml

Downloads and checksum-verifies Gitleaks v8.21.2 (same pattern as actionlint — no third-party action, no license concerns). Scans git history for accidentally committed secrets:

  • PR: scans only the commits introduced by the PR (base..head) — fast and focused
  • Push: scans full history

Notes

  • ossf/scorecard-action@v2.4.0 uses a version tag — Dependabot will pin it to a commit hash on its next weekly run
  • Gitleaks binary is downloaded directly and checksum-verified, consistent with how actionlint is set up

🤖 Generated with Claude Code

@actions-user @claude
feat(ci): add OSSF Scorecard and Gitleaks secret scanning
23951f2 
scorecard.yml:
- Runs ossf/scorecard-action on push to main and weekly
- Publishes results to securityscorecards.dev (public score)
- Uploads SARIF to Code Scanning

secret-scanning.yml:
- Downloads and checksum-verifies Gitleaks v8.21.2 (same pattern as actionlint)
- On PRs: scans only commits introduced by the PR (base..head)
- On push: scans full git history
- Runs on every PR and push to main/develop

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 20, 2026

Build Performance Report

⏱️ Build Time: 12 minutes

📊 Comparison with main branch:

  • Baseline (avg): 10 minutes
  • Current: 12 minutes
  • Change: 📈 20%

✅ Within acceptable range

This is an automated performance check

@actions-user @claude
fix(ci): pin ossf/scorecard-action to commit hash
6ab74dd 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 20, 2026

Build Performance Report

⏱️ Build Time: 12 minutes

📊 Comparison with main branch:

  • Baseline (avg): 10 minutes
  • Current: 12 minutes
  • Change: 📈 20%

✅ Within acceptable range

This is an automated performance check

@rygel rygel merged commit b1c4dc7 into develop Mar 20, 2026
9 checks passed
@rygel rygel deleted the feat/ci-caching-and-codeql-on-push branch March 20, 2026 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rygel @actions-user