Merge pull request #47 from gcmurphy/scorecard

gcmurphy · web-flow · commit 100e05ca971b · 2024-07-23T16:32:02.000+10:00
Scorecard badge and publish of results
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -28,33 +28,9 @@ jobs:
         with:
           results_file: results.sarif
           results_format: sarif
-          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
-          # - you want to enable the Branch-Protection check on a *public* repository, or
-          # - you are installing Scorecard on a *private* repository
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          publish_results: true
 
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
-          publish_results: false
-
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
-      #- name: "Upload artifact"
-      #  uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
-      #  with:
-      #    name: SARIF file
-      #    path: results.sarif
-      #    retention-days: 5
-
-      # Upload the results to GitHub's code scanning dashboard (optional).
-      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
-      #- name: "Upload to code-scanning"
-      #  uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
-      #  with:
-      #    sarif_file: results.sarif
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+          sarif_file: results.sarif
diff --git a/README.md b/README.md
@@ -9,10 +9,12 @@
     <img src="https://img.shields.io/badge/docs-latest-blue.svg?style=flat-square"
       alt="docs.rs docs" />
   </a>
+  <a href="https://scorecard.dev/viewer/?uri=github.com/gcmurphy/osv">
+    <img src="https://api.scorecard.dev/projects/github.com/gcmurphy/osv/badge" alt="ossf scorecard">
+  </a>
 </div>
 
-
-### About 
+### About
 
 This library provides bindings to Open Source Security Foundation's
 Open Source Vulnerability (osv) schema and a client to access
