From e619c6dcd1195d659c39a843a0109f6720d27113 Mon Sep 17 00:00:00 2001 From: Azeem Shaikh Date: Wed, 27 Jul 2022 21:49:14 +0000 Subject: [PATCH] Enable Scorecard badge Signed-off-by: Azeem Shaikh --- .github/workflows/scorecard_action.yml | 4 ++-- README.md | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecard_action.yml b/.github/workflows/scorecard_action.yml index bfa33c56f32..d17cdf691f2 100644 --- a/.github/workflows/scorecard_action.yml +++ b/.github/workflows/scorecard_action.yml @@ -20,7 +20,7 @@ jobs: security-events: write actions: read contents: read - + id-token: write steps: - name: "Checkout code" uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0 @@ -28,7 +28,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@ce330fde6b1a5c9c75b417e7efc510b822a35564 + uses: ossf/scorecard-action@3155d134e59d8f47261b1ae9d143034c69572227 # v2.0.0-beta.1 with: results_file: results.sarif results_format: sarif diff --git a/README.md b/README.md index e5ed767c466..d9ad290cfc6 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ Container Signing, Verification and Storage in an OCI registry. [![Go Report Card](https://goreportcard.com/badge/github.com/sigstore/cosign)](https://goreportcard.com/report/github.com/sigstore/cosign) [![e2e-tests](https://github.com/sigstore/cosign/actions/workflows/e2e_tests.yml/badge.svg)](https://github.com/sigstore/cosign/actions/workflows/e2e_tests.yml) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5715/badge)](https://bestpractices.coreinfrastructure.org/projects/5715) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/sigstore/cosign/badge)](https://api.securityscorecards.dev/projects/github.com/sigstore/cosign) Cosign aims to make signatures **invisible infrastructure**.