search

trimble-oss / modus-web-components

This library provides Modus components as web components - reusable, encapsulated UI elements that are framework agnostic (can be implemented in any site).
https://modus-web-components.trimble.com/
MIT License
32 stars 69 forks source link

Add Open Source Security Foundation Scorecard #834

Closed coliff closed 1 year ago

coliff commented 1 year ago

This enables the OpenSSF Scorecard GitHub Action to help us ensure the project will continue to follow the open-source best practices or even improve any possible practice to avoid security risks and vulnerabilities.

Scorecards.yml file enables the Scorecard action to run on push to main and once a week (important for some checks like contribution check)

REF: https://securityscorecards.dev/

name: Scorecards supply-chain security

on:
  # Only the default branch is supported.
  branch_protection_rule:
  push:
    branches:
      - main
  schedule:
    - cron: "16 10 * * 6"
  workflow_dispatch:

permissions: read-all

jobs:
  analysis:
    name: Scorecards analysis
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      id-token: write
      contents: read
      actions: read

    steps:
      - name: Clone repository
        uses: actions/checkout@v3
        with:
          persist-credentials: false

      - name: Run analysis
        uses: ossf/scorecard-action@v2
        with:
          results_file: results.sarif
          results_format: sarif
          publish_results: true

      - name: Upload artifact
        uses: actions/upload-artifact@v3
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      - name: Upload to code-scanning
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: results.sarif
coliff commented 1 year ago

I'm going to close this for now - it adds more noise and we've already addressed the items that I know it reports that are worth fixing.