Add security-gates workflow and update README

Trendyol · Jan 30, 2025 · 813e023 · 813e023
1 parent dd48d4b
commit 813e023
Showing 1 changed file with 62 additions and 0 deletions.
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,62 @@
+
+name: Scorecard supply-chain security
+
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '29 23 * * 3'
+  push:
+    branches: [ "main", "master"]
+  pull_request:
+    branches: ["main", "master"]
+
+permissions: read-all
+
+jobs:
+  visibility-check:
+    # Bu job, deponun public/private olduğunu belirler
+    outputs:
+      visibility: ${{ steps.drv.outputs.visibility }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Determine repository visibility
+        id: drv
+        run: |
+          visibility=$(gh api /repos/$GITHUB_REPOSITORY --jq '.visibility')
+          echo "visibility=$visibility" >> $GITHUB_OUTPUT
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+  analysis:
+    if: ${{ needs.visibility-check.outputs.visibility == 'public' }}
+    needs: visibility-check
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+
+