diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 441b2f7..84c6d82 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -28,19 +28,22 @@ jobs: uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1 with: disable-sudo: true - egress-policy: audit - disable-telemetry: false + egress-policy: block + disable-telemetry: true allowed-endpoints: api.github.com:443 api.osv.dev:443 + api.scorecard.dev:443 api.securityscorecards.dev:443 bestpractices.coreinfrastructure.org:443 codeload.github.com:443 - fulcio.sigstore.dev:443 github.com:443 + fulcio.sigstore.dev:443 oauth2.sigstore.dev:443 + oss-fuzz-build-logs.storage.googleapis.com:443 rekor.sigstore.dev:443 sigstore-tuf-root.storage.googleapis.com:443 + tuf-repo-cdn.sigstore.dev:443 - name: "Checkout code" uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v2.4.0 @@ -54,8 +57,8 @@ jobs: results_format: sarif # Read-only PAT token. To create it, # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. - #repo_token: ${{ secrets.SCORECARD_TOKEN }} - repo_token: ${{ secrets.GITHUB_TOKEN }} + repo_token: ${{ secrets.SCORECARD_TOKEN }} + #repo_token: ${{ secrets.GITHUB_TOKEN }} # Publish the results for public repositories to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action#publishing-results. # For private repositories, `publish_results` will automatically be set to `false`, regardless @@ -73,6 +76,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a + uses: github/codeql-action/upload-sarif@b7cec7526559c32f1616476ff32d17ba4c59b2d6 with: sarif_file: results.sarif