Add OSSF Security Scoreboard Scan (#5208)

* Add OSSF Security Scoreboard Scan This PR adds OSSF's Security Scoreboard Scan, to help tighten CoreDNS's security practice. OSSF Scoreboard is recommended by GitHub. The result will show up in project's "Code Scanning Alerts" (together with existing CodeQL scan we already have). Signed-off-by: Yong Tang <yong.tang.github@outlook.com>

Add OSSF Security Scoreboard Scan (#5208)
* Add OSSF Security Scoreboard Scan This PR adds OSSF's Security Scoreboard Scan, to help tighten CoreDNS's security practice. OSSF Scoreboard is recommended by GitHub. The result will show up in project's "Code Scanning Alerts" (together with existing CodeQL scan we already have). Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
402c08fe · Yong Tang · GitHub · ef654ba6 · 402c08fe
Commit 402c08fe authored Feb 28, 2022 by Yong Tang Committed by GitHub Feb 28, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 55 additions and 0 deletions

.github/workflows/scorecards.yml .github/workflows/scorecards.yml +55 -0

No files found.
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
+name: Scorecards supply-chain security
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    - cron: '36 10 * * 3'
+  push:
+    branches: [ master ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579  # v2.4.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf  # v1.0.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Read-only PAT token. To create it,
+          # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
+          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+          # Publish the results to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`,
+          # regardless of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional).
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2  # v2.3.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5  # v1.0.26
+        with:
+          sarif_file: results.sarif