From f6eda6f51c4deef9018154797fb9325857703af6 Mon Sep 17 00:00:00 2001 From: Emre Can Vural Date: Mon, 3 Feb 2025 14:26:51 +0300 Subject: [PATCH 1/3] Add security-gates workflow and update README --- .github/workflows/security-gates.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/security-gates.yml diff --git a/.github/workflows/security-gates.yml b/.github/workflows/security-gates.yml new file mode 100644 index 0000000..69c3aad --- /dev/null +++ b/.github/workflows/security-gates.yml @@ -0,0 +1,21 @@ +name: Security Gates + +on: + push: + branches: [main, master] + pull_request: + branches: [main, master] + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Validate Workflow + run: echo "Validation successful" + + security-gates: + uses: Trendyol/security-actions/.github/workflows/security-gates.yml@master + permissions: + actions: read + contents: read + security-events: write From af9de3de6a84788dfd839a0711041e959aa1caa7 Mon Sep 17 00:00:00 2001 From: Emre Can Vural Date: Mon, 3 Feb 2025 14:26:52 +0300 Subject: [PATCH 2/3] Add security-gates workflow and update README --- .github/workflows/scorecard.yml | 64 +++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..4628d7f --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,64 @@ + +name: Scorecard supply-chain security + +on: + branch_protection_rule: + schedule: + - cron: '29 23 * * 3' + push: + branches: [ "main", "master"] + pull_request: + branches: ["main", "master"] + +permissions: read-all + +jobs: + visibility-check: + # Bu job, deponun public/private olduğunu belirler + outputs: + visibility: ${{ steps.drv.outputs.visibility }} + runs-on: ubuntu-latest + steps: + - name: Determine repository visibility + id: drv + run: | + visibility=$(gh api /repos/$GITHUB_REPOSITORY --jq '.visibility') + echo "visibility=$visibility" >> $GITHUB_OUTPUT + env: + GH_TOKEN: ${{ github.token }} + + analysis: + if: ${{ needs.visibility-check.outputs.visibility == 'public' }} + needs: visibility-check + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 + with: + sarif_file: results.sarif + + From d2f585243ea742f8f7281b2fdb0cdc3203f74f40 Mon Sep 17 00:00:00 2001 From: Emre Can Vural Date: Mon, 3 Feb 2025 14:26:53 +0300 Subject: [PATCH 3/3] Add security-gates workflow and update README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 7143de1..127f9db 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ + +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/Trendyol/schema-craft/badge)](https://scorecard.dev/viewer/?uri=github.com/Trendyol/schema-craft) # 🛠️ SchemaCraft SchemaCraft is a tool that allows you to convert a given JSON payload into a JSON schema based on the [2019-09 JSON Schema specification](https://json-schema.org/draft/2019-09/schema).