setup ossf scorecard and codql workflow (#304)

mmorel-35 · web-flow · commit 4ca7a95c4e9a · 2024-01-03T14:39:00.000Z
Signed-off-by: Matthieu MOREL &lt;matthieu.morel35@gmail.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+- package-ecosystem: github-actions
+  directory: /
+  schedule:
+    interval: daily
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,48 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+    - "main"
+  pull_request:
+    branches:
+    - "main"
+  schedule:
+  - cron: '16 11 * * 5'
+
+permissions:
+  contents: read
+
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: 'ubuntu-22.04'
+    timeout-minutes:  360
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+        - java-kotlin
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4  # v3.22.12
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@012739e5082ff0c22ca6d6ab32e07c36df03c4a4  # v3.22.12
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4  # v3.22.12
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/compare-envoy-versions.yml b/.github/workflows/compare-envoy-versions.yml
@@ -12,7 +12,7 @@ jobs:
     outputs:
       target-version: ${{ steps.compare-latest-to-current-version.outputs.target-version }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5  # v2.7.0
       - name: Fetch latest Envoy version
         id: latest-envoy-version
         run: |
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,45 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+  - cron: '33 13 * * 5'
+  push:
+    branches:
+    - "main"
+
+permissions:
+  contents: read
+
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-22.04
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+    - name: "Checkout code"
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      with:
+        persist-credentials: false
+
+    - name: "Run analysis"
+      uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736  # v2.3.1
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        publish_results: true
+
+    - name: "Upload artifact"
+      uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8  # v3.1.0
+      with:
+        name: SARIF file
+        path: results.sarif
+        retention-days: 5
+
+    - name: "Upload to code-scanning"
+      uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4  # v3.22.12
+      with:
+        sarif_file: results.sarif
diff --git a/.github/workflows/update-protobuf.yml b/.github/workflows/update-protobuf.yml
@@ -11,14 +11,14 @@ jobs:
   update-protobuf:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5  # v2.7.0
       - name: Run scripts
         working-directory: ./tools/
         run: |
           ./update-sha.sh ${{ inputs.envoy_version }} | tee API_SHAS
           ./update-api.sh
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672  # v3.14.0
         with:
           branch: update-protobuf-to-${{ inputs.envoy_version }}
           base: main
diff --git a/README.md b/README.md
@@ -1,5 +1,6 @@
 # java-control-plane
 
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/envoyproxy/java-control-plane/badge)](https://api.securityscorecards.dev/projects/github.com/envoyproxy/java-control-plane)
 [![CircleCI](https://circleci.com/gh/envoyproxy/java-control-plane.svg?style=svg)](https://circleci.com/gh/envoyproxy/java-control-plane) [![codecov](https://codecov.io/gh/envoyproxy/java-control-plane/branch/main/graph/badge.svg)](https://codecov.io/gh/envoyproxy/java-control-plane) [![Maven Central](https://maven-badges.herokuapp.com/maven-central/io.envoyproxy.controlplane/java-control-plane/badge.svg)](https://maven-badges.herokuapp.com/maven-central/io.envoyproxy.controlplane/java-control-plane)
 
 This repository contains a Java-based implementation of an API server that implements the discovery service APIs defined
