Skip to content
Scorecard analysis

Run Scorecard scanner for security best practices #421

Sign in to view logs

Run Scorecard scanner for security best practices

Run Scorecard scanner for security best practices #421

Workflow file for this run

.github/workflows/scorecard-scanner.yaml at 93301cc
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yamllint disable rule:line-length
name: Scorecard analysis
run-name: Run Scorecard scanner for security best practices
# Scorecard (https://github.com/ossf/scorecard) is a repository-scanning tool
# that evaluates a project's security practices. Its use is suggested by
# Google's GitHub team. Scorecard's findings are reported in a repo's scanning
# results page, https://github.com/quantumlib/REPO/security/code-scanning/.
on:
schedule:
# Run weekly on Saturdays.
- cron: '30 9 * * 6'
pull_request:
types: [opened, synchronize]
branches:
- main
# Allow manual invocation.
workflow_dispatch:
inputs:
debug:
description: 'Run with debugging options'
type: boolean
default: true
concurrency:
# Cancel any previously-started but still active runs on the same branch.
cancel-in-progress: true
group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
# Declare default workflow permissions as read only.
permissions: read-all
jobs:
run-scorecard:
if: github.repository_owner == 'quantumlib'
name: Scorecard analyzer
runs-on: ubuntu-24.04
permissions:
security-events: write
id-token: write
timeout-minutes: 15
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Run Scorecard analysis
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
# Save the results
results_file: scorecard-results.sarif
results_format: sarif
# Only publish results for non-fork PRs or scheduled runs.
publish_results: >-
${{github.event_name != 'pull_request'
|| github.event.pull_request.head.repo.fork == false}}
- name: Upload results to code-scanning dashboard
# Skip upload for fork PRs to avoid "Analysis configuration not found" / 404 errors.
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: scorecard-results.sarif
- if: github.event.inputs.debug == true || runner.debug == true
name: Upload results as artifacts to the workflow Summary page
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: Scorecard SARIF file
path: scorecard-results.sarif
retention-days: 5
# Scorecard currently (ver. 2.4.x) doesn't allow submissions from jobs having
# steps that use "run:". To print to the summary, we need to use another job.
write-summary:
name: Scorecard results
needs: run-scorecard
runs-on: ubuntu-slim
timeout-minutes: 5
steps:
- name: Write the Scorecard report page link to the workflow summary
run: |
repo="${{github.repository}}"
url="https://scorecard.dev/viewer/?uri=github.com/${repo}"
{
echo -n "The results are available on the OpenSSF Scorecard "
echo "[report page for ${{github.repository}}]($url)."
} >> "$GITHUB_STEP_SUMMARY"