Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

馃摉 Update instructions for Scorecard badge to README #785

Merged
merged 4 commits into from Aug 2, 2022
Merged

馃摉 Update instructions for Scorecard badge to README #785

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2fc5af4
Update instructions for Scorecard badge to README
azeemshaikh38 Aug 2, 2022
4881451
Update badge usability
azeemshaikh38 Aug 2, 2022
f0546f7
Add badge image
azeemshaikh38 Aug 2, 2022
fbe8a1d
Add TOC
azeemshaikh38 Aug 2, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
22 changes: 21 additions & 1 deletion README.md
View file
Open in desktop
Expand Up @@ -23,6 +23,8 @@ ________
- [Workflow Setup](#workflow-setup)

[View Results](#view-results)
- [Scorecard Badge](#scorecard-badge)
- [Code Scanning Alerts](#code-scanning-alerts)
- [Verify Runs](#verify-runs)
- [Troubleshooting](#troubleshooting)

Expand Down Expand Up @@ -103,7 +105,25 @@ Then click "Add More Scanning Tools."

## View Results

The workflow is preconfigured to run on every repository contribution. After making a code change, you can view a list of results by going to the Security tab and clicking "Code Scanning Alerts" (it can take a couple minutes for the run to complete and the results to show up). Click on the individual alerts for more information, including remediation instructions. You will need to click "Show more" to expand the full remediation instructions.
The workflow is preconfigured to run on every repository contribution. After making a code change, you can view the results for the change either through the Scorecard Badge, Code Scanning Alerts or GitHub Workflow Runs.

### Scorecard Badge

Starting with scorecard-action:v2, users can add a Scorecard Badge to their README to display the latest status of their Scorecard results. This requires setting `publish_results: true`聽for the action and enabling `id-token: write` permission for the job (needed to access GitHub OIDC token). The badge is updated on every run of scorecard-action and points to the latest result. To add a badge to your README, copy and paste the below lines:

```
[![OpenSSF Scorecard]
(https://api.securityscorecards.dev/projects/github.com/{org}/{repo}/badge)]
(https://api.securityscorecards.dev/projects/github.com/{org}/{repo})
```

Once this badge is added, clicking on the badge will take users to the latest run result of Scorecard.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is this latest run result? I.e., it will take you to the Code Scanning Alert for the repo?


![image](/images/badge.png)

### Code Scanning Alerts

A list of results is accessible by going in the Security tab and clicking "Code Scanning Alerts" (it can take a couple minutes for the run to complete and the results to show up). Click on the individual alerts for more information, including remediation instructions. You will need to click "Show more" to expand the full remediation instructions.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor suggestion:
"Results are available a few minutes after the scan begins. Under the Security tab, choose "Code Scanning Alerts." Click on individual alerts for more information... (etc)"


![image](/images/remediation.png)

Expand Down
Binary file added images/badge.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.