name: Security Scorecard
on:
schedule:
- cron: '0 6 * * 0'
workflow_dispatch:
push:
branches: [main, master]
pull_request:
branches: [main, master]
permissions:
contents: read
jobs:
scorecard:
name: OpenSSF Security Scorecard
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Run Security Scorecard
uses: ossf/scorecard-action@v2.4.1
id: scorecard
with:
results_file: results.sarif
results_format: sarif
publish_results: false
- name: Upload results to GitHub
if: steps.scorecard.outcome == 'success'
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: results.sarif
category: security-scorecard
- name: Upload results as artifact
if: steps.scorecard.outcome == 'success'
uses: actions/upload-artifact@v4
with:
name: security-scorecard-results
path: results.sarif
retention-days: 30
- name: Display Scorecard results
if: steps.scorecard.outcome == 'success'
run: |
cat results.sarif | jq -r '.runs[0].results[] | select(.ruleId | contains("Scorecard")) | .message.text'
- name: Fail if score is below threshold
if: steps.scorecard.outcome == 'success'
run: |
SCORE=$(cat results.sarif | jq -r '.runs[0].properties.score')
echo "Current Security Score: $SCORE"
if [ "$SCORE" != "null" ] && awk "BEGIN { exit !($SCORE < 7) }"; then
echo "Security Score is below threshold (7)"
echo "Please review and improve security controls: https://github.com/ossf/scorecard/"
exit 1
fi