From fd47e6c48389f92c3e38844a2a42eec2ce2f1c04 Mon Sep 17 00:00:00 2001
From: Lucas TESSON <lucastesson@protonmail.com>
Date: Wed, 28 Jun 2023 23:03:20 +0200
Subject: [PATCH] Add OpenSSF Scoreboard scan

---
 .github/workflows/scoreboard.yml | 35 ++++++++++++++++++++++++++++++++
 README.md                        |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 .github/workflows/scoreboard.yml

diff --git a/.github/workflows/scoreboard.yml b/.github/workflows/scoreboard.yml
new file mode 100644
index 0000000..3baad7b
--- /dev/null
+++ b/.github/workflows/scoreboard.yml
@@ -0,0 +1,35 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '16 0 * * 6'
+  push:
+    branches: [ "main" ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        with:
+          sarif_file: results.sarif
diff --git a/README.md b/README.md
index 73c8639..33e2486 100644
--- a/README.md
+++ b/README.md
@@ -7,6 +7,7 @@
 	<br>
 	<a href="https://github.com/pandatix/go-cvss/actions?query=workflow%3Aci+"><img src="https://img.shields.io/github/actions/workflow/status/pandatix/go-cvss/ci.yaml?style=for-the-badge" alt="CI"></a>
 	<a href="https://github.com/pandatix/go-cvss/actions/workflows/codeql-analysis.yaml"><img src="https://img.shields.io/github/actions/workflow/status/pandatix/go-cvss/codeql-analysis.yaml?style=for-the-badge" alt="CodeQL"></a>
+	<a href="https://securityscorecards.dev/viewer/?uri=github.com/pandatix/go-cvss"><img src="https://img.shields.io/ossf-scorecard/github.com/pandatix/go-cvss?label=openssf%20scorecard&style=for-the-badge" alt="OpenSSF Scoreboard"></a>
 </div>
 
 Go-CVSS is a blazing-fast, low allocations and small memory-usage Go module made to manipulate Common Vulnerability Scoring System (CVSS).