Skip to content

openssf-scorecard

openssf-scorecard #6

name: openssf-scorecard
# OpenSSF Scorecard posture scan.
#
# Triggers:
# - Weekly schedule refreshes the public Scorecard badge/API result.
# - Manual dispatch lets maintainers run a scan from develop after repo-setting changes.
permissions:
contents: read
actions: read
on:
schedule:
- cron: "30 12 * * 6" # Weekly on Saturdays at 12:30 UTC.
workflow_dispatch:
jobs:
scorecard:
name: openssf-scorecard
if: >-
github.repository == 'nautechsystems/nautilus_trader' &&
github.ref == 'refs/heads/develop'
runs-on: ubuntu-22.04
permissions:
contents: read
actions: read
security-events: write
id-token: write
steps:
# https://github.com/step-security/harden-runner
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: ${{ vars.STEP_SECURITY_EGRESS_POLICY || 'block' }}
allowed-endpoints: >-
${{ vars.COMMON_ALLOWED_ENDPOINTS }}
ghcr.io:443
api.scorecard.dev:443
fulcio.sigstore.dev:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
oss-fuzz-build-logs.storage.googleapis.com:443
api.osv.dev:443
api.deps.dev:443
- name: Checkout repository
# https://github.com/actions/checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
fetch-depth: 1
- name: Run OpenSSF Scorecard
# https://github.com/ossf/scorecard-action
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: scorecard.sarif
results_format: sarif
publish_results: true
- name: Upload Scorecard SARIF
if: always() && hashFiles('scorecard.sarif') != ''
# https://github.com/github/codeql-action
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: scorecard.sarif
category: openssf-scorecard