Add scorecard analysis tool (#103)

Signed-off-by: Gabriela Gutierrez <[email protected]>
sigstore · Jan 10, 2024 · 3337819 · 3337819
1 parent 7e62ec8
commit 3337819
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/.github/scorecard.yml b/.github/scorecard.yml
@@ -0,0 +1,31 @@
+name: Scorecard supply-chain security
+on:
+  # (Optional) For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  # branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '32 18 * * 0'
+  push:
+    branches: ["main"]
+
+# Declare default permissions as none.
+permissions: {}
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+    uses: sigstore/community/.github/workflows/reusable-scorecard.yml@d0c95c8803672313d0bf72e1a44021be5b583c24 # main
+    # (Optional) Disable publish results:
+    # with:
+    #   publish_results: false
+
+    # (Optional) Enable Branch-Protection check:
+    # secrets:
+    #   scorecard_token: ${{ secrets.SCORECARD_TOKEN }}