diff --git a/.github/workflows/scorecard_action.yml b/.github/workflows/scorecard_action.yml index bfa33c56f322..d17cdf691f25 100644 --- a/.github/workflows/scorecard_action.yml +++ b/.github/workflows/scorecard_action.yml @@ -20,7 +20,7 @@ jobs: security-events: write actions: read contents: read - + id-token: write steps: - name: "Checkout code" uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0 @@ -28,7 +28,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@ce330fde6b1a5c9c75b417e7efc510b822a35564 + uses: ossf/scorecard-action@3155d134e59d8f47261b1ae9d143034c69572227 # v2.0.0-beta.1 with: results_file: results.sarif results_format: sarif diff --git a/README.md b/README.md index e5ed767c4663..d9ad290cfc67 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ Container Signing, Verification and Storage in an OCI registry. [![Go Report Card](https://goreportcard.com/badge/github.com/sigstore/cosign)](https://goreportcard.com/report/github.com/sigstore/cosign) [![e2e-tests](https://github.com/sigstore/cosign/actions/workflows/e2e_tests.yml/badge.svg)](https://github.com/sigstore/cosign/actions/workflows/e2e_tests.yml) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5715/badge)](https://bestpractices.coreinfrastructure.org/projects/5715) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/sigstore/cosign/badge)](https://api.securityscorecards.dev/projects/github.com/sigstore/cosign) Cosign aims to make signatures **invisible infrastructure**.