✨ Define scorecard GitHub action (#1069)

* test * fix * fix * license
2024-09-19 04:57:14 +03:00 · 2021-09-27 15:30:36 -07:00 · 2021-09-27 15:30:36 -07:00 · 3a43c683c8
commit 3a43c683c8
parent 3cbe7b26f7
4 changed files with 132 additions and 3 deletions
--- a/actions/Dockerfile
+++ b/actions/Dockerfile
@ -0,0 +1,35 @@
+# Copyright 2021 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Use scorecard's official Docker image as base.
+ARG DOCKER_SHA
+FROM gcr.io/openssf/scorecard@sha256:${DOCKER_SHA} as base
+
+# Build our image and update the root certs.
+# TODO: use distroless.
+FROM debian:9.5-slim
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends ca-certificates
+
+# Copy the scorecard binary from the official scorecard image.
+COPY --from=base /scorecard /scorecard
+
+# Copy a test policy for local testing.
+COPY actions/testdata/policy.yml .
+
+# Our entry point.
+# Note: the file is executable in the repo
+# and permission carry over to the image.
+ADD actions/entrypoint.sh entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
--- a/actions/entrypoint.sh
+++ b/actions/entrypoint.sh
@ -0,0 +1,31 @@
+#!/bin/bash -euo pipefail
+# Copyright 2021 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# https://docs.github.com/en/actions/learn-github-actions/environment-variables
+# GITHUB_EVENT_PATH contains the json file for the event.
+# GITHUB_SHA contains the commit hash.
+# GITHUB_WORKSPACE contains the repo folder.
+# GITHUB_EVENT_NAME contains the event name.
+
+export GITHUB_AUTH_TOKEN="$INPUT_REPO_TOKEN"
+export SCORECARD_V3=1
+export SCORECARD_POLICY_FILE="$INPUT_POLICY_FILE"
+export SCORECARD_SARIF_FILE="$INPUT_SARIF_FILE"
+
+# It's important to change directories here, to ensure
+# the files in SARIF start at the source of the repo.
+# This allows GitHub to highlight the file.
+cd "$GITHUB_WORKSPACE"
+/scorecard --repo="$GITHUB_REPOSITORY" --format sarif --show-details --policy="$SCORECARD_POLICY_FILE" > "$SCORECARD_SARIF_FILE"
--- a/actions/testdata/policy.yml
+++ b/actions/testdata/policy.yml
@ -0,0 +1,64 @@
+# Copyright 2021 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: 1
+policies:
+  Token-Permissions:
+      score: 10
+      mode: enforced
+  Branch-Protection:
+      score: 10
+      mode: enforced
+  Code-Review:
+      score: 10
+      mode: enforced
+  Pinned-Dependencies:
+      score: 10
+      mode: enforced
+  Security-Policy:
+      score: 10
+      mode: enforced
+  SAST:
+      score: 10
+      mode: enforced
+  Contributors:
+      score: 10
+      mode: enforced
+  Packaging:
+      score: 10
+      mode: enforced
+  Binary-Artifacts:
+      score: 10
+      mode: enforced
+  Signed-Releases:
+      score: 10
+      mode: enforced
+  Dependency-Update-Tool:
+      score: 10
+      mode: enforced
+  Fuzzing:
+      score: 10
+      mode: enforced
+  CII-Best-Practices:
+      score: 10
+      mode: enforced
+  Vulnerabilities:
+      score: 10
+      mode: enforced
+  CI-Tests:
+      score: 10
+      mode: enforced
+  Maintained:
+      score: 10
+      mode: enforced
--- a/cmd/root.go
+++ b/cmd/root.go
@ -136,9 +136,8 @@ var rootCmd = &cobra.Command{
 	Run: func(cmd *cobra.Command, args []string) {
 		// UPGRADEv3: remove.
 		var v3 bool
-		if _, v3 = os.LookupEnv("SCORECARD_V3"); v3 {
-			fmt.Printf("**** Using SCORECARD_V3 code ***** \n\n")
-		}
+		_, v3 = os.LookupEnv("SCORECARD_V3")
+
 		if format == formatSarif && !v3 {
 			log.Fatal("sarif not supported yet")
 		}