-
-
Notifications
You must be signed in to change notification settings - Fork 0
32 lines (29 loc) · 880 Bytes
/
Copy pathscorecard.yml
File metadata and controls
32 lines (29 loc) · 880 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
name: Scorecard
# OpenSSF Scorecard — supply-chain security posture. Runs on push to the default
# branch and weekly; uploads SARIF so findings show in the Security tab.
on:
push:
branches: ["main"]
schedule:
- cron: "27 3 * * 1" # Mondays 03:27 UTC
workflow_dispatch: {}
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
security-events: write # upload SARIF to code scanning
id-token: write # publish results to the OpenSSF API
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
- uses: ossf/scorecard-action@v2.4.0
with:
results_file: results.sarif
results_format: sarif
publish_results: true
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif