✨ Add scorecard analysis for dogfooding (#1073)

* fix * fix * updates * fix * comments * fix * test comment
ossf · Sep 27, 2021 · 676885f · 676885f
1 parent 3a43c68
commit 676885f
Show file tree

Hide file tree

Showing 5 changed files with 114 additions and 3 deletions.
diff --git a/actions/testdata/policy.yml → .github/scorecard-policy.yml b/actions/testdata/policy.yml → .github/scorecard-policy.yml
diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml
@@ -0,0 +1,43 @@
+name: Scorecard analysis workflow
+on: 
+  push:
+    branches: [main]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    steps:
+      # TODO: if pull_request
+      - name: "Checkout code"
+        uses: actions/checkout@v1
+
+      - name: "Run analysis"
+        # This is temporary for dogfooding.
+        # We will remove the use of container and
+        # pin the dependency by hash.
+        # https://github.com/ossf/scorecard/issues/1072. 
+        uses: docker://laurentsimon/scorecard-action:latest
+        with:
+          policy_file: .github/scorecard.yml
+          sarif_file: results.sarif
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+
+      # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
+      # Optional.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@v2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload SARIF results"
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: results.sarif
diff --git a/actions/Dockerfile b/actions/Dockerfile
@@ -12,6 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Testing: docker run -e INPUT_SARIF_FILE=results.sarif -e GITHUB_WORKSPACE=/ -e INPUT_POLICY_FILE="policies/policy.yml" -e INPUT_REPO_TOKEN=$GITHUB_AUTH_TOKEN -e GITHUB_REPOSITORY="ossf/scorecard" laurentsimon/scorecard-action:latest
+
 # Use scorecard's official Docker image as base.
 ARG DOCKER_SHA
 FROM gcr.io/openssf/scorecard@sha256:${DOCKER_SHA} as base
@@ -26,10 +28,10 @@ RUN apt-get update && \
 COPY --from=base /scorecard /scorecard
 
 # Copy a test policy for local testing.
-COPY actions/testdata/policy.yml .
+COPY actions/policies/template.yml /policy.yml
 
 # Our entry point.
 # Note: the file is executable in the repo
 # and permission carry over to the image.
-ADD actions/entrypoint.sh entrypoint.sh
+ADD actions/entrypoint.sh /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/actions/entrypoint.sh b/actions/entrypoint.sh
@@ -1,4 +1,4 @@
-#!/bin/bash -euo pipefail
+#!/bin/bash
 # Copyright 2021 Security Scorecard Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,6 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+set -euo pipefail
+
 # https://docs.github.com/en/actions/learn-github-actions/environment-variables
 # GITHUB_EVENT_PATH contains the json file for the event.
 # GITHUB_SHA contains the commit hash.

diff --git a/actions/policies/template.yml b/actions/policies/template.yml
@@ -0,0 +1,64 @@
+# Copyright 2021 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: 1
+policies:
+  Token-Permissions:
+      score: 10
+      mode: enforced
+  Branch-Protection:
+      score: 10
+      mode: enforced
+  Code-Review:
+      score: 10
+      mode: enforced
+  Pinned-Dependencies:
+      score: 10
+      mode: enforced
+  Security-Policy:
+      score: 10
+      mode: enforced
+  SAST:
+      score: 10
+      mode: enforced
+  Contributors:
+      score: 10
+      mode: enforced
+  Packaging:
+      score: 10
+      mode: enforced
+  Binary-Artifacts:
+      score: 10
+      mode: enforced
+  Signed-Releases:
+      score: 10
+      mode: enforced
+  Dependency-Update-Tool:
+      score: 10
+      mode: enforced
+  Fuzzing:
+      score: 10
+      mode: enforced
+  CII-Best-Practices:
+      score: 10
+      mode: enforced
+  Vulnerabilities:
+      score: 10
+      mode: enforced
+  CI-Tests:
+      score: 10
+      mode: enforced
+  Maintained:
+      score: 10
+      mode: enforced