Skip to content

docs: add Sigstore/SBOM badges, fix Semgrep Scorecard regression#338

Merged
nullvariant merged 1 commit into
mainfrom
docs/supply-chain-badges
Mar 15, 2026
Merged

docs: add Sigstore/SBOM badges, fix Semgrep Scorecard regression#338
nullvariant merged 1 commit into
mainfrom
docs/supply-chain-badges

Conversation

@nullvariant

Copy link
Copy Markdown
Owner

Summary

  • Add Sigstore (Cosign Signed) and SBOM (CycloneDX) badges to root README and all 26 language READMEs
  • Fix OpenSSF Scorecard Pinned-Dependencies regression (pip install → SHA-pinned Docker action)
  • Add .semgrepignore for SonarCloud Action SHA pin false positive
  • Release v0.16.21

Test plan

  • Verify Semgrep SAST passes (no false positive, no pip install)
  • Verify OpenSSF Scorecard Pinned-Dependencies returns to 10
  • Verify badges render correctly on GitHub

🤖 Generated with Claude Code

## Background
v0.16.20 added Cosign signing and SBOM but badges were missing.
Semgrep pip install caused OpenSSF Scorecard Pinned-Dependencies
to drop from 10 to 9.
## Changes
- README.md (root): Add Sigstore and SBOM badges after SLSA 3
- docs/i18n/*/README.md (26 languages): Add same badges
- extensions/git-id-switcher/README.md: Regenerated from en source
- security.yml: Revert to semgrep-action Docker image (SHA-pinned)
- .semgrepignore: Exclude sonarcloud.yml (SHA pin false positive)
- dependency-review-config.yml: Re-add semgrep-action license exception
- CHANGELOG.md: Add 0.16.21 entry
- package.json: Bump version 0.16.20 → 0.16.21

🖥️ IDE: [Cursor](https://cursor.sh)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/semgrep/semgrep-action 713efdd345f3035192eaa63f56867b88e63e4e5d UnknownUnknown

Scanned Files

  • .github/workflows/security.yml

@qodo-code-review

Copy link
Copy Markdown

Review Summary by Qodo

Add supply chain security badges and fix Semgrep Scorecard regression

📝 Documentation 🐞 Bug fix

Grey Divider

Walkthroughs

Description
• Add Sigstore (Cosign Signed) and SBOM (CycloneDX) badges to root and 26 language READMEs
• Fix OpenSSF Scorecard Pinned-Dependencies regression by reverting to SHA-pinned Docker action
• Create .semgrepignore file to exclude SonarCloud workflow from false positive detection
• Update version to 0.16.21 and regenerate documentation hashes
Diagram
flowchart LR
  A["Security Workflow"] -->|"Replace pip install"| B["SHA-pinned Docker action"]
  B -->|"Restore score"| C["Pinned-Dependencies: 10"]
  D["Documentation Files"] -->|"Add badges"| E["Sigstore + SBOM badges"]
  E -->|"Render on GitHub"| F["Supply chain visibility"]
  G[".semgrepignore"] -->|"Exclude false positive"| H["SonarCloud workflow"]
Loading

Grey Divider

File Changes

1. README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

README.md


2. extensions/git-id-switcher/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/README.md


3. extensions/git-id-switcher/docs/i18n/ain/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/ain/README.md


View more (31)
4. extensions/git-id-switcher/docs/i18n/bg/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/bg/README.md


5. extensions/git-id-switcher/docs/i18n/cs/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/cs/README.md


6. extensions/git-id-switcher/docs/i18n/de/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/de/README.md


7. extensions/git-id-switcher/docs/i18n/en/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/en/README.md


8. extensions/git-id-switcher/docs/i18n/eo/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/eo/README.md


9. extensions/git-id-switcher/docs/i18n/es/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/es/README.md


10. extensions/git-id-switcher/docs/i18n/fr/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/fr/README.md


11. extensions/git-id-switcher/docs/i18n/haw/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/haw/README.md


12. extensions/git-id-switcher/docs/i18n/hu/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/hu/README.md


13. extensions/git-id-switcher/docs/i18n/it/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/it/README.md


14. extensions/git-id-switcher/docs/i18n/ja/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/ja/README.md


15. extensions/git-id-switcher/docs/i18n/ko/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/ko/README.md


16. extensions/git-id-switcher/docs/i18n/pl/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/pl/README.md


17. extensions/git-id-switcher/docs/i18n/pt-BR/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/pt-BR/README.md


18. extensions/git-id-switcher/docs/i18n/ru/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/ru/README.md


19. extensions/git-id-switcher/docs/i18n/ryu/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/ryu/README.md


20. extensions/git-id-switcher/docs/i18n/tlh/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/tlh/README.md


21. extensions/git-id-switcher/docs/i18n/tok/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/tok/README.md


22. extensions/git-id-switcher/docs/i18n/tr/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/tr/README.md


23. extensions/git-id-switcher/docs/i18n/uk/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/uk/README.md


24. extensions/git-id-switcher/docs/i18n/x-lolcat/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/x-lolcat/README.md


25. extensions/git-id-switcher/docs/i18n/x-pirate/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/x-pirate/README.md


26. extensions/git-id-switcher/docs/i18n/x-shakespeare/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/x-shakespeare/README.md


27. extensions/git-id-switcher/docs/i18n/zh-CN/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/zh-CN/README.md


28. extensions/git-id-switcher/docs/i18n/zh-TW/README.md 📝 Documentation +2/-0

Add Sigstore and SBOM security badges

extensions/git-id-switcher/docs/i18n/zh-TW/README.md


29. .github/workflows/security.yml 🐞 Bug fix +6/-10

Replace pip install with SHA-pinned Docker action

.github/workflows/security.yml


30. .semgrepignore ⚙️ Configuration changes +8/-0

Create ignore file for Semgrep false positives

.semgrepignore


31. .github/dependency-review-config.yml ⚙️ Configuration changes +1/-0

Add semgrep-action license exception

.github/dependency-review-config.yml


32. extensions/git-id-switcher/CHANGELOG.md 📝 Documentation +10/-0

Add v0.16.21 release notes

extensions/git-id-switcher/CHANGELOG.md


33. extensions/git-id-switcher/src/ui/documentationInternal.ts Miscellaneous +29/-29

Update documentation file hashes

extensions/git-id-switcher/src/ui/documentationInternal.ts


34. extensions/git-id-switcher/package.json ⚙️ Configuration changes +1/-1

Bump version to 0.16.21

extensions/git-id-switcher/package.json


Grey Divider

Qodo Logo

@qodo-code-review

qodo-code-review Bot commented Mar 15, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider


Remediation recommended

1. Semgrep bypasses workflow file 🐞 Bug ⛨ Security
Description
.github/workflows/sonarcloud.yml is now excluded via .semgrepignore, so the Semgrep job will not
scan that workflow at all, not just suppress the one known false-positive rule. This reduces
secret/vulnerability detection coverage for that workflow compared to suppressing only the noisy
rule.
Code

.semgrepignore[R1-8]

+# Default semgrep ignores
+node_modules/
+.git/
+*.min.js
+
+# False positive: SHA-pinned commit hash misidentified as SonarQube API key
+# Rule: generic.secrets.security.detected-sonarqube-docs-api-key
+.github/workflows/sonarcloud.yml
Evidence
The Semgrep workflow now uses semgrep/semgrep-action with only config packs specified, while
.semgrepignore explicitly excludes the SonarCloud workflow file; therefore Semgrep will skip
scanning that file entirely.

.semgrepignore[1-8]
.github/workflows/security.yml[175-200]
.github/workflows/sonarcloud.yml[44-52]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`.github/workflows/sonarcloud.yml` is excluded via `.semgrepignore`, which prevents Semgrep from scanning that workflow entirely. This is broader than necessary for addressing a single false-positive rule match.

## Issue Context
The Semgrep job runs the `p/secrets` pack, which is intended to scan repository files for credential leakage and similar issues. Excluding the entire workflow removes that protection for this file.

## Fix Focus Areas
- .semgrepignore[1-8]
- .github/workflows/sonarcloud.yml[1-220]
- .github/workflows/security.yml[175-200]

## Implementation guidance
- Remove the `.github/workflows/sonarcloud.yml` ignore entry.
- Suppress the specific false-positive at the narrowest scope (e.g., add an inline Semgrep suppression comment on the exact line that triggers the rule, or pass a rule exclusion flag through the Semgrep workflow step if supported by your Semgrep invocation).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

@sonarqubecloud

Copy link
Copy Markdown

@nullvariant nullvariant merged commit babd60e into main Mar 15, 2026
24 checks passed
@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@nullvariant nullvariant deleted the docs/supply-chain-badges branch March 15, 2026 09:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants