Add openssf scorecard action and readme badge displaying score #1188
Conversation
✅ Deploy Preview for fdc3 ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
| # - you want to enable the Branch-Protection check on a *public* repository, or | ||
| # - you are installing Scorecard on a *private* repository | ||
| # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. | ||
| repo_token: ${{ secrets.SCORECARD_TOKEN }} |
There was a problem hiding this comment.
This is defined at the org level as evidenced by the scorecard action working in other FINOS projects.
| # For private repositories: | ||
| # - `publish_results` will always be set to `false`, regardless | ||
| # of the value entered here. | ||
| publish_results: false |
There was a problem hiding this comment.
Non public publish. This will keep results as local code scanning issues.
|
@kriswest When/If we merge this one can we do a squash merge? I was having issues rebasing locally to squash and reword the commit. |
@bingenito I don't see why not (as long as we remember). @robmoffat I think this one is with you to review - along with another action related to the badge |
|
Token seems to be present at org level because scorecard is working for other projects such as fdc3-dotnet. Will find out once I merge. |
Run openssf scorecard action weekly and on pushes to main branch (will create code scan analysis security entries if required).
THIS SOFTWARE IS CONTRIBUTED SUBJECT TO THE TERMS OF THE FINOS CORPORATE CONTRIBUTOR LICENSE AGREEMENT.
THIS SOFTWARE IS LICENSED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT, ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THIS SOFTWARE MAY BE REDISTRIBUTED TO OTHERS ONLY BY EFFECTIVELY USING THIS OR ANOTHER EQUIVALENT DISCLAIMER IN ADDITION TO ANY OTHER REQUIRED LICENSE TERMS.