Skip to content

build: add Scorecards workflow #2098

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jamietanna merged 1 commit into from
Sep 24, 2025
Merged

build: add Scorecards workflow #2098

jamietanna merged 1 commit into from
Sep 24, 2025

Conversation

@jamietanna
Copy link
Member

@jamietanna jamietanna commented Sep 24, 2025

This is another step towards better understanding this project's health,
and making it clear to consumers.

Although we're already onboarded via the upstream project0 (via the
"old" repo name), it's better to have this a first-class product of our
project, as this also allows validating i.e. branch protection due to
permissions: read-all.

Takes configuration via Renovate's usage1, alongside the suggested
version from the Scorecard project.

This uploads the SARIF results to show that we have issues in the
Security tab (for maintainers).

@jamietanna jamietanna requested a review from a team as a code owner September 24, 2025 17:23
@kusari-inspector
Copy link

kusari-inspector bot commented Sep 24, 2025
edited
Loading

Kusari Inspector

Kusari Analysis Results:

Proceed with these changes

✅ No Flagged Issues Detected
All values appear to be within acceptable risk parameters.

Combined security analysis shows no genuine security issues. Dependency analysis found no problematic dependency changes, code issues, or exposed secrets. Code analysis identified one false positive - a GitHub Action commit hash used for version pinning, which is actually a security best practice to prevent supply chain attacks. No vulnerabilities, workflow issues, or module security concerns were detected across both analyses. The PR is safe to merge.

Note

View full detailed analysis result for more information on the output and the checks that were run.

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 25a6d54, performed at: 2025-09-24T19:32:45Z

Found this helpful? Give it a 👍 or 👎 reaction!

jamietanna
jamietanna commented Sep 24, 2025
View reviewed changes
jamietanna
jamietanna commented Sep 24, 2025
View reviewed changes
jamietanna
jamietanna commented Sep 24, 2025
View reviewed changes
Copy link
Member Author

@jamietanna jamietanna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before this is merged, we need to move over to Branch Rulesets (https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional)

@jamietanna
build: add Scorecards workflow
25a6d54 
This is another step towards better understanding this project's health,
and making it clear to consumers.

Although we're already onboarded via the upstream project[0] (via the
"old" repo name), it's better to have this a first-class product of our
project, as this also allows validating i.e. branch protection due to
`permissions: read-all`.

Takes configuration via Renovate's usage[1], alongside the suggested
version from the Scorecard project.

This uploads the SARIF results to show that we have issues in the
Security tab (for maintainers).

[0]: https://securityscorecards.dev/viewer/?uri=github.com%2Fdeepmap%2Foapi-codegen
[1]: https://github.com/renovatebot/renovate/blob/8b86b8cdb4a3e36d6211e47a2e6a201f25f674da/.github/workflows/scorecard.yml
@kusari-inspector
Copy link

kusari-inspector bot commented Sep 24, 2025

Kusari PR Analysis rerun based on - 25a6d54 performed at: 2025-09-24T19:33:26Z - link to updated analysis

@jamietanna jamietanna merged commit d39bf2d into main Sep 24, 2025
41 checks passed
@jamietanna jamietanna deleted the build/scorecard branch September 24, 2025 19:34
@jamietanna jamietanna added the chore Any maintenance tasks that are regular, not as important to call out in the changelog label Nov 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

chore Any maintenance tasks that are regular, not as important to call out in the changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamietanna