Update security-gates.yml

Openssf add
Trendyol · Jan 28, 2025 · eb6a5d3 · eb6a5d3
1 parent 7d1b35d
commit eb6a5d3
Showing 1 changed file with 44 additions and 9 deletions.
diff --git a/.github/workflows/security-gates.yml b/.github/workflows/security-gates.yml
@@ -1,15 +1,17 @@
 name: security-gates
+
 # Controls when the workflow will run
 on:
   workflow_call:
   push:
     branches: [ "main", "master" ]
   pull_request:
     branches: [ "*" ]
+
 jobs:
   visibility-check:
     outputs:
-        visibility: ${{ steps.drv.outputs.visibility }}
+      visibility: ${{ steps.drv.outputs.visibility }}
     runs-on: ubuntu-latest
     steps:
       - name: Determine repository visibility
@@ -18,7 +20,7 @@ jobs:
           visibility=$(gh api /repos/$GITHUB_REPOSITORY --jq '.visibility')
           echo "visibility=$visibility" >> $GITHUB_OUTPUT
         env:
-            GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ github.token }}
 
   gitleaks:
     name: gitleaks
@@ -33,7 +35,7 @@ jobs:
           arc=$(uname -p)
           [ "$arc" = "x86_64" ] && export arc="x64" || echo "$arc"
           os=$(uname -s | tr '[:upper:]' '[:lower:]' )
-          gitleaksVersion=$(echo "8.22.1")
+          gitleaksVersion="8.22.1"
           gl_full=$(printf "gitleaks_%s_%s_%s.tar.gz" "$gitleaksVersion" "$os" "$arc")
           gl_download_link=$(printf "https://github.com/gitleaks/gitleaks/releases/download/v%s/%s" "$gitleaksVersion" "$gl_full")
           wget $gl_download_link -q
@@ -42,9 +44,9 @@ jobs:
       - name: gitleaks-scan
         run: |
           if [ $VISIBILITY == "public" ]; then
-          ./gitleaks detect -f sarif -r gitleaks.sarif --redact --exit-code 0
+            ./gitleaks detect -f sarif -r gitleaks.sarif --redact --exit-code 0
           else
-          ./gitleaks detect --redact -v --exit-code 0
+            ./gitleaks detect --redact -v --exit-code 0
           fi
         env:
           VISIBILITY: ${{ needs.visibility-check.outputs.visibility }}
@@ -54,7 +56,7 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: gitleaks.sarif
-          
+
   semgrep:
     name: semgrep
     needs: visibility-check
@@ -70,9 +72,9 @@ jobs:
       - name: semgrep-scan
         run: |
           if [ $VISIBILITY == "public" ]; then
-          semgrep ci --config=auto --sarif --output=semgrep.sarif || true
+            semgrep ci --config=auto --sarif --output=semgrep.sarif || true
           else
-          semgrep ci --config=auto --text || true
+            semgrep ci --config=auto --text || true
           fi
         env:
           VISIBILITY: ${{ needs.visibility-check.outputs.visibility }}
@@ -82,7 +84,40 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: semgrep.sarif
-
+
+  scorecard:
+    name: Scorecard analysis
+    needs: visibility-check
+    runs-on: ubuntu-latest
+    if: needs.visibility-check.outputs.visibility == 'public'  # Only run this job for public repositories
+    permissions:
+      security-events: write
+      id-token: write
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+
   sbom-scan:
     name: grype-sbom
     needs: visibility-check