1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
name: OSSF Scorecard
# OpenSSF Scorecard — automated supply-chain / security-posture scoring
# (branch protection, pinned actions, token permissions, dangerous workflows,
# dependency-update tooling, etc.). Results publish to the Security tab and,
# optionally, the public Scorecard API for an OSS "security score" badge.
#
# ── RUNNER / COST / VISIBILITY ────────────────────────────────────────────────
# Scorecard is built for GitHub-hosted runners and is most useful on a PUBLIC
# repo (many checks — e.g. branch-protection introspection, the public results
# badge — assume public + a repo `read` token). It runs on `ubuntu-latest`.
# `publish_results: true` only takes effect once the repo is public. While
# private this consumes a small amount of Actions minutes weekly; disable the
# schedule if that matters until the public flip.
on:
branch_protection_rule: # re-score when branch protection changes
schedule:
- cron: "18 5 * * 1" # Mondays 05:18 UTC
push:
branches:
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
# Scorecard is only meaningful on a PUBLIC repo (publish + branch-protection
# checks). Skip while private so it neither burns Actions minutes nor fails;
# it auto-activates at the public flip.
if: ${{ github.event.repository.private == false }}
runs-on: ubuntu-latest # GitHub-hosted; free once public
permissions:
security-events: write # upload SARIF to the Security tab
id-token: write # publish results to the Scorecard API (public)
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
- name: Run Scorecard
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
# Publishes to the public OSSF Scorecard API + enables the badge.
# No-op while private; effective once public.
publish_results: true
- name: Upload SARIF to code scanning
uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4
with:
sarif_file: results.sarif