Skip to content

ci: add OpenSSF Scorecard workflow#9

Merged
wizzomafizzo merged 2 commits into
mainfrom
chore/scorecard
Apr 9, 2026
Merged

ci: add OpenSSF Scorecard workflow#9
wizzomafizzo merged 2 commits into
mainfrom
chore/scorecard

Conversation

@wizzomafizzo

@wizzomafizzo wizzomafizzo commented Apr 9, 2026

Copy link
Copy Markdown
Member

Summary

  • Add weekly OpenSSF Scorecard analysis
  • Results published to scorecard.dev and uploaded to Security tab
  • Runs on push to main and weekly schedule

Summary by CodeRabbit

  • Chores
    • Added automated security scanning to analyze the repository and monitor security posture on code changes and weekly intervals.

Add weekly Scorecard analysis that grades the repository on security
practices. Results published to scorecard.dev and uploaded to the
Security tab as code scanning alerts.
@coderabbitai

coderabbitai Bot commented Apr 9, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Added a new GitHub Actions workflow for OpenSSF Scorecard that runs on pushes to main and weekly schedule. The workflow checks out the repository, executes scorecard analysis, uploads results to GitHub code scanning, and stores artifacts with a 5-day retention period.

Changes

Cohort / File(s) Summary
OpenSSF Scorecard Workflow
.github/workflows/scorecard.yml
New GitHub Actions workflow added with scheduled and push-triggered analysis. Includes repository checkout, OpenSSF scorecard execution generating SARIF output, code scanning upload, and artifact retention configuration.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A new workflow hops into place,
Security scores we now can trace,
Weekly checks on Monday's dawn,
Code scanning shields are drawn,
Five days of artifacts we'll embrace! 🔐✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'ci: add OpenSSF Scorecard workflow' directly and clearly describes the main change—adding a new GitHub Actions workflow for OpenSSF Scorecard security analysis.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/scorecard

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented Apr 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/scorecard.yml:
- Around line 24-30: The pinned SHA for the Scorecard action in the "Run
Scorecard" step (uses:
ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a) is annotated as
v2.4.3 but does not match that tag; either replace the SHA with the correct
commit for v2.4.3 (99c09fe975337306107572b4fdf4db224cf8e2f2) or change the
inline version comment to reflect the actual version represented by the current
SHA so the comment and the pinned commit are consistent.
- Around line 36-41: Update the inline comment that annotates the pinned action
SHA for clarity: change the comment on the
actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 line from "#
v4" to "# v4.6.2" so the upload-artifact action version is explicitly
documented; keep the rest of the step (name: Upload artifact, with: name:
scorecard-results, path: results.sarif, retention-days: 5) unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 69ad1b04-7dff-4355-85e4-623f39373b52

📥 Commits

Reviewing files that changed from the base of the PR and between c9a8299 and 0083c17.

📒 Files selected for processing (1)
  • .github/workflows/scorecard.yml

Comment on lines +24 to +30
- name: Run Scorecard
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
publish_results: true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify ossf/scorecard-action SHA matches v2.4.3 tag

# Fetch the v2.4.3 tag from GitHub API
echo "Checking ossf/scorecard-action v2.4.3 tag..."
gh api repos/ossf/scorecard-action/git/ref/tags/v2.4.3 --jq '.object.sha' 2>/dev/null || echo "Tag v2.4.3 not found"

# Check what the pinned SHA points to
echo "Checking pinned SHA 4eaacf0543bb3f2c246792bd56e8cdeffafb205a..."
gh api repos/ossf/scorecard-action/commits/4eaacf0543bb3f2c246792bd56e8cdeffafb205a --jq '.sha' 2>/dev/null || echo "SHA not found"

Repository: ZaparooProject/go-zapscript

Length of output: 438


🌐 Web query:

ossf/scorecard-action v2.4.3 release SHA commit

💡 Result:

ossf/scorecard-action v2.4.3 is tagged at commit 4eaacf0543bb3f2c246792bd56e8cdeffafb205a. [1], [2]

Sources: [1] (github.com) [2] (git.eigen.co.id)

Citations:


🏁 Script executed:

#!/bin/bash
# Alternative approach: curl to public GitHub API
echo "Attempting to fetch v2.4.3 tag info via public API..."
curl -s "https://api.github.com/repos/ossf/scorecard-action/git/refs/tags/v2.4.3" | jq '.object.sha' 2>/dev/null || echo "Could not fetch via curl"

# Also try to get the tag object itself
echo "Checking if tag exists on GitHub..."
curl -s "https://api.github.com/repos/ossf/scorecard-action/releases/tags/v2.4.3" | jq '.target_commitish, .tag_name' 2>/dev/null || echo "Could not fetch release info"

Repository: ZaparooProject/go-zapscript

Length of output: 219


Fix the version comment: the pinned SHA does not match v2.4.3.

The workflow pins SHA 4eaacf0543bb3f2c246792bd56e8cdeffafb205a but labels it as v2.4.3. GitHub API confirms that v2.4.3 is actually tagged at SHA 99c09fe975337306107572b4fdf4db224cf8e2f2. Either update the pinned SHA to the correct v2.4.3 commit or update the version comment to reflect the actual version of the pinned SHA.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/scorecard.yml around lines 24 - 30, The pinned SHA for the
Scorecard action in the "Run Scorecard" step (uses:
ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a) is annotated as
v2.4.3 but does not match that tag; either replace the SHA with the correct
commit for v2.4.3 (99c09fe975337306107572b4fdf4db224cf8e2f2) or change the
inline version comment to reflect the actual version represented by the current
SHA so the comment and the pinned commit are consistent.

Comment on lines +36 to +41
- name: Upload artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: scorecard-results
path: results.sarif
retention-days: 5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify actions/upload-artifact SHA and identify the specific version

# Check what the pinned SHA points to
echo "Checking pinned SHA ea165f8d65b6e75b540449e92b4886f43607fa02..."
gh api repos/actions/upload-artifact/commits/ea165f8d65b6e75b540449e92b4886f43607fa02 --jq '.sha' 2>/dev/null || echo "SHA not found"

# List recent v4 tags to find matching SHA
echo -e "\nRecent v4.x.x tags:"
gh api repos/actions/upload-artifact/git/matching-refs/tags/v4 --jq '.[].ref' | head -20

Repository: ZaparooProject/go-zapscript

Length of output: 442


🌐 Web query:

actions/upload-artifact ea165f8d65b6e75b540449e92b4886f43607fa02 version

💡 Result:

Commit ea165f8d65b6e75b540449e92b4886f43607fa02 in actions/upload-artifact corresponds to release v4.6.2. [1]


Update the version comment to specify v4.6.2.

The pinned SHA corresponds to v4.6.2. Update the inline comment from # v4 to # v4.6.2 for better traceability and clarity.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/scorecard.yml around lines 36 - 41, Update the inline
comment that annotates the pinned action SHA for clarity: change the comment on
the actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 line from
"# v4" to "# v4.6.2" so the upload-artifact action version is explicitly
documented; keep the rest of the step (name: Upload artifact, with: name:
scorecard-results, path: results.sarif, retention-days: 5) unchanged.

@wizzomafizzo wizzomafizzo merged commit 5cd155f into main Apr 9, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant