feat: add OSSF Scorecard supply chain security workflow #5
Conversation
Add comprehensive OSSF Scorecard workflow for supply chain security analysis: - Runs weekly on Monday at 3 AM UTC to assess repository security posture - Includes proper permissions (security-events, id-token, contents, actions) - Publishes results to OpenSSF REST API for public badge display - Uploads SARIF results to GitHub Security tab for detailed findings - Stores artifacts for 30-day retention - Supports both public and private repository configurations This enhances the project's supply chain security monitoring and provides transparency for security assessments.
There was a problem hiding this comment.
Pull Request Overview
This PR adds an OSSF Scorecard workflow to implement automated supply chain security monitoring and assessment for the repository.
- Introduces scheduled weekly security assessments using OSSF Scorecard
- Configures proper permissions and security integrations for comprehensive monitoring
- Enables public badge support and GitHub Security tab integration
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| permissions: | ||
| # Needed to upload the results to code-scanning dashboard | ||
| security-events: write | ||
| # Needed to publish results and get a badge | ||
| id-token: write | ||
| # Needed to detect the repository's programming languages | ||
| contents: read | ||
| # Needed for the analysis to run | ||
| actions: read | ||
|
|
There was a problem hiding this comment.
The permissions block is duplicated between the workflow level (lines 10-18) and job level (lines 24-32). Since permissions are inherited from the workflow level, the job-level permissions are redundant and should be removed to avoid duplication.
| permissions: | |
| # Needed to upload the results to code-scanning dashboard | |
| security-events: write | |
| # Needed to publish results and get a badge | |
| id-token: write | |
| # Needed to detect the repository's programming languages | |
| contents: read | |
| # Needed for the analysis to run | |
| actions: read |
| persist-credentials: false | ||
|
|
||
| - name: Run OSSF Scorecard | ||
| uses: ossf/scorecard-action@v2 |
There was a problem hiding this comment.
Using a major version tag (@v2) instead of a specific commit hash or patch version creates potential security risks. Consider pinning to a specific version like @v2.x.x or using a commit hash for better supply chain security.
| uses: ossf/scorecard-action@v2 | |
| uses: ossf/scorecard-action@v2.1.7 |
|
|
||
| # Upload the results as artifacts (optional) | ||
| - name: Upload artifact | ||
| uses: actions/upload-artifact@v4 |
There was a problem hiding this comment.
Using a major version tag (@v4) instead of a specific commit hash or patch version creates potential security risks. Consider pinning to a specific version like @v4.x.x or using a commit hash for better supply chain security.
| uses: actions/upload-artifact@v4 | |
| uses: actions/upload-artifact@v4.3.1 |
|
|
||
| # Upload the results to GitHub's code scanning dashboard | ||
| - name: Upload to code-scanning | ||
| uses: github/codeql-action/upload-sarif@v3 |
There was a problem hiding this comment.
Using a major version tag (@V3) instead of a specific commit hash or patch version creates potential security risks. Consider pinning to a specific version like @v3.x.x or using a commit hash for better supply chain security.
| uses: github/codeql-action/upload-sarif@v3 | |
| uses: github/codeql-action/upload-sarif@v3.25.2 |
Summary
This PR adds a comprehensive OSSF Scorecard workflow to enhance supply chain security monitoring and assessment.
Changes Made
scorecard.ymlin.github/workflows/security-events,id-token,contents,actions)Benefits
Type of Change
Testing
The workflow configuration follows OSSF Scorecard best practices and includes proper error handling with
if: always()conditions.