Skip to content

Commit

Permalink
📖 Update instructions for Scorecard badge to README (#785)
Browse files Browse the repository at this point in the history 
* Update instructions for Scorecard badge to README

* Update badge usability

* Add badge image

* Add TOC
  • Loading branch information
@azeemshaikh38
azeemshaikh38 committed Aug 2, 2022
1 parent 1a2e1e9 commit 1b61a68
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 1 deletion.
22 changes: 21 additions & 1 deletion README.md
View file
Expand Up @@ -23,6 +23,8 @@ ________
- [Workflow Setup](#workflow-setup)

[View Results](#view-results)
- [Scorecard Badge](#scorecard-badge)
- [Code Scanning Alerts](#code-scanning-alerts)
- [Verify Runs](#verify-runs)
- [Troubleshooting](#troubleshooting)

Expand Down Expand Up @@ -103,7 +105,25 @@ Then click "Add More Scanning Tools."

## View Results

The workflow is preconfigured to run on every repository contribution. After making a code change, you can view a list of results by going to the Security tab and clicking "Code Scanning Alerts" (it can take a couple minutes for the run to complete and the results to show up). Click on the individual alerts for more information, including remediation instructions. You will need to click "Show more" to expand the full remediation instructions.
The workflow is preconfigured to run on every repository contribution. After making a code change, you can view the results for the change either through the Scorecard Badge, Code Scanning Alerts or GitHub Workflow Runs.

### Scorecard Badge

Starting with scorecard-action:v2, users can add a Scorecard Badge to their README to display the latest status of their Scorecard results. This requires setting `publish_results: true` for the action and enabling `id-token: write` permission for the job (needed to access GitHub OIDC token). The badge is updated on every run of scorecard-action and points to the latest result. To add a badge to your README, copy and paste the below lines:

```
[![OpenSSF Scorecard]
(https://api.securityscorecards.dev/projects/github.com/{org}/{repo}/badge)]
(https://api.securityscorecards.dev/projects/github.com/{org}/{repo})
```

Once this badge is added, clicking on the badge will take users to the latest run result of Scorecard.

![image](/images/badge.png)

### Code Scanning Alerts

A list of results is accessible by going in the Security tab and clicking "Code Scanning Alerts" (it can take a couple minutes for the run to complete and the results to show up). Click on the individual alerts for more information, including remediation instructions. You will need to click "Show more" to expand the full remediation instructions.

![image](/images/remediation.png)

Expand Down
Binary file added images/badge.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 1b61a68

Please sign in to comment.