add openssf scorecard workflow #195
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #195 +/- ##
=======================================
Coverage 60.42% 60.42%
=======================================
Files 43 43
Lines 5097 5097
=======================================
Hits 3080 3080
Misses 1828 1828
Partials 189 189 ☔ View full report in Codecov by Sentry. |
|
@Jdubrick what does the scorecard do? |
It's part of the checklist for items tagged as Code on the CLOMonitor. It scans the codebase after commits and gives a score based on the security rating of different factors. The installation is found here and a good description here. If this doesn't sound like something we want it can easily be exempted from the CLOMonitor check. |
| # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: | ||
| # - you want to enable the Branch-Protection check on a *public* repository, or |
There was a problem hiding this comment.
Do we need to mention the PAT here since there is a branch_protection_rule above..
There was a problem hiding this comment.
I was able to implement the other 3 changes but after doing some digging we will need to get an admin on the org to create the fine grained PAT so that it is a secret of the repo. Without adding it right now all that should happen is it won't perform the branch protection check but may do everything else
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
@Jdubrick would you be able to edit your commits and sign your commits like |
Signed-off-by: Jordan Dubrick <jdubrick@redhat.com>
Signed-off-by: Jordan Dubrick <jdubrick@redhat.com>
Jdubrick
force-pushed
the
Jdubrick-cleaner-tasks
branch
from
acc5514
to
a29857a
Compare
@maysunfaisal should be fixed now, I must've forgot for one of the commits! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Jdubrick, maysunfaisal The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What does this PR do?:
Enables the openssf scorecard code scanning so that we can add the openssf scorecard to our repository. This is apart of the CNCF Cleaner tasks.
Which issue(s) this PR fixes:
fixes devfile/api#1369
PR acceptance criteria:
Testing and documentation do not need to be complete in order for this PR to be approved. We just need to ensure tracking issues are opened and linked to this PR, if they are not in the PR scope due to various constraints.
Unit/Functional tests
QE Integration test
Documentation (READMEs, Product Docs, Blogs, Education Modules, etc.)
Client Impact
Gosec scans
How to test changes / Special notes to the reviewer: