Skip to content

ci: add OpenSSF Scorecard workflow and README badge#777

Open
sofianlak wants to merge 1 commit into
michelin:masterfrom
sofianlak:feature/add-scorecard
Open

ci: add OpenSSF Scorecard workflow and README badge#777
sofianlak wants to merge 1 commit into
michelin:masterfrom
sofianlak:feature/add-scorecard

Conversation

@sofianlak
Copy link
Copy Markdown

@sofianlak sofianlak commented Mar 24, 2026

Closes #776

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Mar 26, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 26, 2026
View reviewed changes
Comment thread .github/workflows/scorecard.yml
security-events: write
steps:
- name: Checkout project
uses: actions/checkout@v6

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 0: GitHub-owned GitHubAction not pinned by hash
Click Remediation section below to solve this issue
Comment thread .github/workflows/scorecard.yml
persist-credentials: false

- name: Run analysis
uses: ossf/scorecard-action@v2.4.3

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 0: third-party GitHubAction not pinned by hash
Click Remediation section below to solve this issue
Comment thread .github/workflows/scorecard.yml
publish_results: ${{ github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}

- name: Upload SARIF report
uses: github/codeql-action/upload-sarif@v4

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 0: GitHub-owned GitHubAction not pinned by hash
Click Remediation section below to solve this issue
Comment thread .github/workflows/scorecard.yml
sarif_file: results.sarif

- name: Upload artifact
uses: actions/upload-artifact@v7

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 0: GitHub-owned GitHubAction not pinned by hash
Click Remediation section below to solve this issue
@loicgreffier
Copy link
Copy Markdown
Collaborator

loicgreffier commented Mar 26, 2026

@sofianlak Thanks for the PR, interesting. Looks good to be merged as is, we might adapt the workflow afterwards depending on what it brings and the needs it addresses

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add OpenSSF Scorecard workflow and badge

3 participants

@sofianlak @github-advanced-security @loicgreffier