mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-19 04:57:14 +03:00
parent
3cbe7b26f7
commit
3a43c683c8
35
actions/Dockerfile
Normal file
35
actions/Dockerfile
Normal file
@ -0,0 +1,35 @@
|
||||
# Copyright 2021 Security Scorecard Authors
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# Use scorecard's official Docker image as base.
|
||||
ARG DOCKER_SHA
|
||||
FROM gcr.io/openssf/scorecard@sha256:${DOCKER_SHA} as base
|
||||
|
||||
# Build our image and update the root certs.
|
||||
# TODO: use distroless.
|
||||
FROM debian:9.5-slim
|
||||
RUN apt-get update && \
|
||||
apt-get install -y --no-install-recommends ca-certificates
|
||||
|
||||
# Copy the scorecard binary from the official scorecard image.
|
||||
COPY --from=base /scorecard /scorecard
|
||||
|
||||
# Copy a test policy for local testing.
|
||||
COPY actions/testdata/policy.yml .
|
||||
|
||||
# Our entry point.
|
||||
# Note: the file is executable in the repo
|
||||
# and permission carry over to the image.
|
||||
ADD actions/entrypoint.sh entrypoint.sh
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
31
actions/entrypoint.sh
Executable file
31
actions/entrypoint.sh
Executable file
@ -0,0 +1,31 @@
|
||||
#!/bin/bash -euo pipefail
|
||||
# Copyright 2021 Security Scorecard Authors
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# https://docs.github.com/en/actions/learn-github-actions/environment-variables
|
||||
# GITHUB_EVENT_PATH contains the json file for the event.
|
||||
# GITHUB_SHA contains the commit hash.
|
||||
# GITHUB_WORKSPACE contains the repo folder.
|
||||
# GITHUB_EVENT_NAME contains the event name.
|
||||
|
||||
export GITHUB_AUTH_TOKEN="$INPUT_REPO_TOKEN"
|
||||
export SCORECARD_V3=1
|
||||
export SCORECARD_POLICY_FILE="$INPUT_POLICY_FILE"
|
||||
export SCORECARD_SARIF_FILE="$INPUT_SARIF_FILE"
|
||||
|
||||
# It's important to change directories here, to ensure
|
||||
# the files in SARIF start at the source of the repo.
|
||||
# This allows GitHub to highlight the file.
|
||||
cd "$GITHUB_WORKSPACE"
|
||||
/scorecard --repo="$GITHUB_REPOSITORY" --format sarif --show-details --policy="$SCORECARD_POLICY_FILE" > "$SCORECARD_SARIF_FILE"
|
64
actions/testdata/policy.yml
vendored
Normal file
64
actions/testdata/policy.yml
vendored
Normal file
@ -0,0 +1,64 @@
|
||||
# Copyright 2021 Security Scorecard Authors
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
version: 1
|
||||
policies:
|
||||
Token-Permissions:
|
||||
score: 10
|
||||
mode: enforced
|
||||
Branch-Protection:
|
||||
score: 10
|
||||
mode: enforced
|
||||
Code-Review:
|
||||
score: 10
|
||||
mode: enforced
|
||||
Pinned-Dependencies:
|
||||
score: 10
|
||||
mode: enforced
|
||||
Security-Policy:
|
||||
score: 10
|
||||
mode: enforced
|
||||
SAST:
|
||||
score: 10
|
||||
mode: enforced
|
||||
Contributors:
|
||||
score: 10
|
||||
mode: enforced
|
||||
Packaging:
|
||||
score: 10
|
||||
mode: enforced
|
||||
Binary-Artifacts:
|
||||
score: 10
|
||||
mode: enforced
|
||||
Signed-Releases:
|
||||
score: 10
|
||||
mode: enforced
|
||||
Dependency-Update-Tool:
|
||||
score: 10
|
||||
mode: enforced
|
||||
Fuzzing:
|
||||
score: 10
|
||||
mode: enforced
|
||||
CII-Best-Practices:
|
||||
score: 10
|
||||
mode: enforced
|
||||
Vulnerabilities:
|
||||
score: 10
|
||||
mode: enforced
|
||||
CI-Tests:
|
||||
score: 10
|
||||
mode: enforced
|
||||
Maintained:
|
||||
score: 10
|
||||
mode: enforced
|
@ -136,9 +136,8 @@ var rootCmd = &cobra.Command{
|
||||
Run: func(cmd *cobra.Command, args []string) {
|
||||
// UPGRADEv3: remove.
|
||||
var v3 bool
|
||||
if _, v3 = os.LookupEnv("SCORECARD_V3"); v3 {
|
||||
fmt.Printf("**** Using SCORECARD_V3 code ***** \n\n")
|
||||
}
|
||||
_, v3 = os.LookupEnv("SCORECARD_V3")
|
||||
|
||||
if format == formatSarif && !v3 {
|
||||
log.Fatal("sarif not supported yet")
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user