ossf/scorecard-action ossf/scorecard-action

  • Stars
    star
    228
  • Rank 171,725 (Top 4 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 2 years ago
  • Updated about 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
ossf/scorecard-action
github

ossf

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Official GitHub Action for OpenSSF Scorecard.

Scorecards' GitHub action

CodeQL codecov

Official GitHub Action for OSSF Scorecards.

The Scorecards GitHub Action is free for all public repositories. Private repositories are supported if they have GitHub Advanced Security. Private repositories without GitHub Advanced Security can run Scorecards from the command line by following the standard installation instructions.

Breaking changes in v2

Starting from scorecard-action:v2, GITHUB_TOKEN permissions or job permissions needs to include id-token: write for publish_results: true. This is needed to access GitHub's OIDC token which verifies the authenticity of the result when publishing it. See details here

If publishing results, scorecard-action:v2 also imposes new requirements on both the workflow and the job running the ossf/scorecard-action step. For full details see here.

Installation

View Results

Manual Action Setup

"Classic" PAT Requirements and Risks

Reporting vulnerabilities

The following GitHub triggers are supported: push, schedule (default branch only).

The pull_request and workflow_dispatch triggers are experimental.

Running the Scorecard action on a fork repository is not supported.

GitHub Enterprise repositories are not supported.

Installation

Workflow Setup (Required)

  1. From your GitHub project's main page, click “Security” in the top ribbon.

image

  1. Select “Code scanning”.

image

  1. Then click "Add tool".

image

  1. Choose the "OSSF Scorecard" from the list of workflows, and then click “Configure”.

image

  1. Commit the changes.

image

Authentication with Fine-grained PAT (optional)

Scorecard can run successfully with the workflow's default GITHUB_TOKEN. However, the Branch-Protection and (experimental) Webhooks checks require additional data that isn't accessible with that token.

We therefore suggest you create a fine-grained Personal Access Token (PAT) that Scorecard may use for authentication.

  1. Create a fine-grained Personal Access Token with the following settings:

    • Token name: OpenSSF Scorecard Action - $USER_NAME/$REPO_NAME> (Note: replace $USER_NAME/$REPO_NAME with the names of your organization and repository so you can keep track of your tokens.)
    • Expiration: Set Custom and then set the date to exactly a year in the future (the maximum allowed)
    • Repository Access: Only select repositories and select the desired repository. Alternatively, set All repositories if you wish to use the same token for all your repositories.
    • Repository Permissions:
      • Administration: Read-only: Required to read Branch-Protection settings.
      • Metadata: Read-only will be automatically set when you set Administration
      • Webhooks: Read-only: (Optional) required for the experimental Webhook check.

    Disclaimer: Scorecard uses these permissions solely to learn about the project's branch protection rules and webhooks. However, the token can read many of the project's settings (for a full list, see the queries marked (read) in GitHub's documentation).

    "Classic" tokens with repo scope also work. However, these carry significantly higher risks compared to fine-grained PATs (see "Classic" Personal Access Token (PAT) Requirements and Risks) and are therefore strongly discouraged.

    image

  2. Copy the token value.

  3. Create a new repository secret with the following settings (Warning: GitHub encrypted secrets are accessible by all the workflows and maintainers of a repository.):

    • Name: SCORECARD_TOKEN
    • Value: the value of the token created in step 1 above.

    Note that fine-grained tokens expire after one year. You'll receive an email from GitHub when your token is about to expire, at which point you must regenerate it. Make sure to update the token string in your repository's secrets.

  4. When you call the ossf/scorecard-action in your workflow, pass the token as repo_token: ${{ secrets.SCORECARD_TOKEN }}.

View Results

The workflow is preconfigured to run on every repository contribution. After making a code change, you can view the results for the change either through the Scorecard Badge, Code Scanning Alerts or GitHub Workflow Runs.

REST API

Starting with scorecard-action:v2, users can use a REST API to query their latest run results. This requires setting publish_results: true for the action and enabling id-token: write permission for the job (needed to access GitHub OIDC token). The API is available here: https://api.securityscorecards.dev.

Scorecard Badge

Starting with scorecard-action:v2, users can add a Scorecard Badge to their README to display the latest status of their Scorecard results. This requires setting publish_results: true for the action and enabling id-token: write permission for the job (needed to access GitHub OIDC token). The badge is updated on every run of scorecard-action and points to the latest result. To add a badge to your README, copy and paste the below line, and replace the {owner} and {repo} parts.

[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo}/badge)](https://securityscorecards.dev/viewer/?uri=github.com/{owner}/{repo})

Once this badge is added, clicking on the badge will take users to the latest run result of Scorecard.

image

Code Scanning Alerts

A list of results is accessible by going in the Security tab and clicking "Code Scanning Alerts" (it can take a couple minutes for the run to complete and the results to show up). Click on the individual alerts for more information, including remediation instructions. You will need to click "Show more" to expand the full remediation instructions.

image

Verify Runs

The workflow is preconfigured to run on every repository contribution.

To verify that the Action is running successfully, click the repository's Actions tab to see the status of all recent workflow runs. This tab will also show the logs, which can help you troubleshoot if the run failed.

image

Troubleshooting

If the run has failed, the most likely reason is an authentication failure. Confirm that the Personal Access Token is saved as an encrypted secret within the same repository (see Authentication). Also confirm that the PAT is still valid and hasn't expired or been revoked.

If you have a valid PAT saved as an encrypted secret and the run is still failing, confirm that you have not made any changes to the workflow yaml file that affected the syntax. Review the workflow example and reset to the default values if necessary.

Manual Action Setup

If you prefer to manually set up the Scorecards GitHub Action, you will need to set up a workflow file.

First, create a new file in this location: [yourrepo]/.github/workflows/scorecards.yml. Then use the input values below.

Inputs

Name Required Description
result_file yes The file that contains the results.
result_format yes The format in which to store the results [json | sarif]. For GitHub's scanning dashboard, select sarif.
repo_token no PAT token with write repository access. Follow these steps to create it.
publish_results recommended This will allow you to display a badge on your repository to show off your hard work. See details here.

Publishing Results

The Scorecard team runs a weekly scan of public GitHub repositories in order to track the overall security health of the open source ecosystem. The results of the scans are publicly available. Setting publish_results: true replaces the results of the team's weekly scans with your own scan results, helping us scale by cutting down on repeated workflows and GitHub API requests. This option is also needed to enable badges on the repository.

Workflow Restrictions

If publishing results, our API enforces certain rules on the producing workflow, which may reject the results and cause the Scorecard Action run to fail. We understand that this is restrictive, but currently it's necessary to ensure the integrity of our API dataset, since GitHub workflow steps run in the same environment as the job they belong to. If possible, we will work on making this feature more flexible so we can drop this requirement in the future.

Global workflow restrictions

  • The workflow can't contain top level env vars or defaults.
  • No workflow level write permissions.
  • Only the job with ossf/scorecard-action can use id-token: write permissions.

Restrictions on the job containing ossf/scorecard-action

  • No job level env vars or defaults.
  • No containers or services
  • The job should run on one of the Ubuntu hosted runners
  • The steps running in this job must belong to this approved list of GitHub actions.
    • "actions/checkout"
    • "actions/upload-artifact"
    • "github/codeql-action/upload-sarif"
    • "ossf/scorecard-action"
    • "step-security/harden-runner"

Uploading Artifacts

The Scorecards Action uses the artifact uploader action to upload results in SARIF format to the Actions tab. These results are available to anybody for five days after the run to help with debugging. To disable the upload, comment out the Upload Artifact value in the Workflow Example.

Note: if you disable this option, the results of the Scorecards Action run will be only available to people with write access or more. You can find the results on the Security tab scanning dashboard).

Workflow Example

name: Scorecard analysis workflow
on:
  # Only the default branch is supported.
  branch_protection_rule:
  schedule:
    # Weekly on Saturdays.
    - cron: '30 1 * * 6'
  push:
    branches: [ main, master ]

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    permissions:
      # Needed if using Code scanning alerts
      security-events: write
      # Needed for GitHub OIDC token if publish_results is true
      id-token: write

    steps:
      - name: "Checkout code"
        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
        with:
          persist-credentials: false

      - name: "Run analysis"
        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
        with:
          results_file: results.sarif
          results_format: sarif
          # (Optional) fine-grained personal access token. Uncomment the `repo_token` line below if:
          # - you want to enable the Branch-Protection check on a *public* repository, or
          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional.
          # repo_token: ${{ secrets.SCORECARD_TOKEN }}

          # Publish the results for public repositories to enable scorecard badges. For more details, see
          # https://github.com/ossf/scorecard-action#publishing-results.
          # For private repositories, `publish_results` will automatically be set to `false`, regardless
          # of the value entered here.
          publish_results: true

      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # required for Code scanning alerts
      - name: "Upload SARIF results to code scanning"
        uses: github/codeql-action/upload-sarif@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6
        with:
          sarif_file: results.sarif

"Classic" Personal Access Token (PAT) Requirements and Risks

Certain features require a Personal Access Token (PAT). We recommend you use a fine-grained token as described in Authentication. A "classic" PAT also works, but we strongly discourage its use.

Due to a limitation of the "classic" tokens' permission model, the PAT needs write permission to the repository through the repo scope. The PAT will be stored as a GitHub encrypted secret and be accessible by all of the repository's workflows and maintainers. This means another maintainer on your project could potentially use the token to impersonate you. If there is an exploitable bug in a workflow with write permissions, an external contributor could potentially exploit it to extract the PAT.

The only benefit of a "classic" PAT is that it can be set to never expire. However, we believe this does not outweigh the significantly higher risk of "classic" PATs compared to fine-grained PATs.

Reporting vulnerabilities

If you find a vulnerability, please report it to us! See SECURITY.md for more information.

More Repositories

1

scorecard

OpenSSF Scorecard - Security health metrics for Open Source
Go
4,171
star
2

criticality_score

Gives criticality score for an open source project
Go
1,287
star
3

allstar

GitHub App to set and enforce security policies
Go
1,199
star
4

package-analysis

Open Source Package Analysis
Go
708
star
5

wg-best-practices-os-developers

The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.
JavaScript
654
star
6

fuzz-introspector

Fuzz Introspector -- introspect, extend and optimise fuzzers
Python
348
star
7

wg-securing-critical-projects

Helping allocate resources to secure the critical open source projects we all depend on.
315
star
8

wg-security-tooling

OpenSSF Security Tooling Working Group
291
star
9

wg-metrics-and-metadata

The purpose of the Metrics & Metadata (formerly Identifying Security Threats) working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
221
star
10

malicious-packages

A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.
Go
202
star
11

wg-supply-chain-integrity

Our objective is to enable open source maintainers, contributors and end-users to understand and make decisions on the provenance of the code they maintain, produce and use.
173
star
12

osv-schema

Open Source Vulnerability schema.
Python
170
star
13

wg-vulnerability-disclosures

The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.
168
star
14

secure-sw-dev-fundamentals

Secure Software Development Fundamentals courses (from the OpenSSF Best Practices WG)
CSS
158
star
15

s2c2f

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.
156
star
16

package-manager-best-practices

Collection of security best practices for package managers.
156
star
17

tac

Technical Advisory Council
103
star
18

security-reviews

A community collection of security reviews of open source software components.
Python
86
star
19

wg-securing-software-repos

OpenSSF Working Group on Securing Software Repositories
80
star
20

package-feeds

Feed parsing for language package manager updates
Go
70
star
21

alpha-omega

Our mission is to catalyze sustainable improvements to critical open source software projects and ecosystems.
Open Policy Agent
68
star
22

foundation

OpenSSF Governance and Legal Docs
68
star
23

Project-Security-Metrics

Collect, curate, and communicate relevant security metrics for open source projects.
Python
61
star
24

sbom-everywhere

Improve Software Bill of Materials (SBOM) tooling and training to encourage adoption
Vue
56
star
25

great-mfa-project

The Great Multi-Factor Authentication (MFA) Distribution Project of the Open Source Security Foundation (OpenSSF). We work to distribute hardware MFA tokens to critical open source software (OSS) projects.
52
star
26

security-insights-spec

OPENSSF SECURITY INSIGHTS: Repository for development of the draft standard, where requests for modification should be made via Github Issues.
44
star
27

ai-ml-security

Potential WG on Artificial Intelligence and Machine Learning (AI/ML)
31
star
28

scorecard-monitor

Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts
JavaScript
28
star
29

wg-endusers

OpenSSF Endusers Working Group
27
star
30

ossf-landscape

26
star
31

scorecard-webapp

Website and API for OpenSSF Scorecard
HTML
21
star
32

DevRel-community

Evangelizing the mission and work of the OpenSSF and building strong community outreach around end-users, open-source maintainers, and contributors.
17
star
33

education

OpenSSF Education SIG
16
star
34

toolbelt

16
star
35

project-template

OpenSSF Project Template
16
star
36

omega-triage-portal

Python
13
star
37

Memory-Safety

12
star
38

scorecard-visualizer

Tool for visualizing the Open SSF Scorecard Api data in a human friendly way
TypeScript
10
star
39

Diagrammers-Society

OpenSSF Diagrammers Society
9
star
40

OpenVEX

Vuln Disclosure WG's new SIG
8
star
41

artwork

OpenSSF Artwork
7
star
42

SIRT

The OSS-SIRT SIG (Open Source Software Security Incident Response Team Special Interest Group) is a group working within the OSSF's Vulnerability Disclosure Working Group that is focused on creating secure vulnerability management capabilities within the open source ecosystem to ensure effective coordinated vulnerability disclosure practices (CVD)
7
star
43

community

6
star
44

gb-planning-committee

The Governing Board Planning Committee guides OpenSSF vision and planning including mission, roadmap, milestones and key metrics for success of the overall organization.
6
star
45

oss-compromises

Archive of various open source security compromises
5
star
46

github-org-access-scraper

GitHub lacks an API for listing an org's repos' access for non-team-based individuals, so, scrape it.
5
star
47

vulnerability-disclosures-whitepaper

4
star
48

Governance-Committee

Governance Committee
3
star
49

oss-researcher-vulnerability-guide

3
star
50

S2C2F-attestation-schema-and-tool

Secure Supply Chain Consumption Framework (S2C2F) OSCAL Catalog and tool
Python
3
star
51

security-metrics-dashboard

3
star
52

disclosure-check

disclosure-check
Python
2
star
53

homebrew-tap

2
star
54

omega-moderne-client

Python
2
star
55

outreach

A place to connect about event and conference engagements
1
star
56

action-web-defn-check

GitHub action for checking a Web Application Definition file
1
star
57

wg-dei

The Diversity, Equity, and Inclusion Working Group was formed in December 2023 to help increase representation and strengthen the overall effectiveness of the cybersecurity workforce.
1
star
58

si-tooling

Python
1
star
59

.github

Github configuration
1
star
60

open-auto-vuln-disclose

open-auto-vuln-disclose
Python
1
star
61

oss-analysis-census2-prototype

Prototype of Census 2 of open source software (NOT MAINTAINED)
Python
1
star
62

scorecard-dependencyanalysis

Scorecard action for checking when new dependencies are added to the repository.
Go
1
star