feat: Add security-gates and update README (#413)

* Add security-gates workflow and update README * Add security-gates workflow and update README * Add security-gates workflow and update README * Update scorecard.yml --------- Co-authored-by: Oğuzhan Soykan <[email protected]>
Trendyol · Feb 4, 2025 · 031e503 · 031e503
1 parent 2b8d2d6
commit 031e503
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -37,3 +37,11 @@ jobs:
           verbose: true
           token: ${{ secrets.CODECOV_TOKEN }}
         if: github.ref == 'refs/heads/main'
+
+
+  security-gates:
+    uses: Trendyol/security-actions/.github/workflows/security-gates.yml@master
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,63 @@
+
+name: Scorecard supply-chain security
+
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '29 23 * * 3'
+  push:
+    branches: [ "main", "master"]
+  pull_request:
+    branches: ["main", "master"]
+
+permissions: read-all
+
+jobs:
+  visibility-check:
+    outputs:
+      visibility: ${{ steps.drv.outputs.visibility }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Determine repository visibility
+        id: drv
+        run: |
+          visibility=$(gh api /repos/$GITHUB_REPOSITORY --jq '.visibility')
+          echo "visibility=$visibility" >> $GITHUB_OUTPUT
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+  analysis:
+    if: ${{ needs.visibility-check.outputs.visibility == 'public' }}
+    needs: visibility-check
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+        with:
+          sarif_file: results.sarif
+
+
diff --git a/README.md b/README.md
@@ -1,3 +1,5 @@
+
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/Trendyol/kediatR/badge)](https://scorecard.dev/viewer/?uri=github.com/Trendyol/kediatR)
 # kediatR [![codecov](https://codecov.io/gh/trendyol/kediatr/branch/main/graph/badge.svg)](https://codecov.io/gh/trendyol/kediatr)
 
 <img style="float: left" alt="Humus! The kediatr mascot" src="/humus.png" alt="drawing" width="80"/>