Implement OpenSSF Scorecard workflow and badge #269
Description
Summary
Implement the OpenSSF Scorecard GitHub Action to provide automated security health metrics and enable the Scorecard badge for README. This follows the badge strategy established in #258.
Background
Research analysis of enterprise OSS projects found OpenSSF Scorecard emerging as the modern standard for security posture visibility. Projects like Prometheus and Docker Compose display Scorecard badges prominently.
Estimated Current Score: 7.5-8.5/10
The repository already demonstrates strong security practices:
| Check | Score | Status |
|---|---|---|
| Binary-Artifacts | 10/10 | ✅ No binaries |
| Branch-Protection | 8-10/10 | ✅ Configured |
| CI-Tests | 10/10 | ✅ Pester + npm audit |
| Dangerous-Workflow | 10/10 | ✅ Clean patterns |
| Dependency-Update-Tool | 10/10 | ✅ Dependabot |
| License | 10/10 | ✅ MIT |
| Maintained | 10/10 | ✅ Active |
| Pinned-Dependencies | 9/10 | ✅ SHA-pinned |
| SAST | 10/10 | ✅ CodeQL |
| Security-Policy | 10/10 | ✅ MSRC |
| Token-Permissions | 10/10 | ✅ Minimal |
| Fuzzing | 0/10 | ❌ Not implemented |
| SBOM | 0/10 | ❌ Not implemented |
| Signed-Releases | 0/10 | ❌ Not implemented |
Implementation
Workflow File
Create .github/workflows/scorecard.yml:
name: OpenSSF Scorecard
on:
schedule:
- cron: '0 3 * * 0' # Sundays at 3 AM UTC
push:
branches:
- main
permissions:
contents: read
jobs:
scorecard:
name: Scorecard Analysis
runs-on: ubuntu-latest
permissions:
id-token: write
security-events: write
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521390fa70a37fa40b1305e # v4.2.2
with:
persist-credentials: false
- name: Run Scorecard
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
publish_results: true
- name: Upload SARIF results
uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a # v3.27.0
with:
sarif_file: results.sarif
- name: Upload artifact
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: scorecard-results
path: results.sarif
retention-days: 5
- name: Add job summary
if: always()
run: |
echo "## OpenSSF Scorecard Analysis Complete" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "📊 View results in the Security tab under Code Scanning" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "🏆 [View Scorecard Badge](https://scorecard.dev/viewer/?uri=github.com/microsoft/hve-core)" >> $GITHUB_STEP_SUMMARYWorkflow Restrictions
The Scorecard API enforces strict requirements when publish_results: true:
- No top-level
envvars ordefaultsblocks - Must run on Ubuntu hosted runners
- Only approved actions:
actions/checkout,actions/upload-artifact,github/codeql-action/upload-sarif,ossf/scorecard-action,step-security/harden-runner
Tool Checksum Update
Add to scripts/security/tool-checksums.json:
"ossf/scorecard-action": {
"version": "v2.4.3",
"sha": "4eaacf0543bb3f2c246792bd56e8cdeffafb205a"
}README Badge (after first successful run)
[](https://scorecard.dev/viewer/?uri=github.com/microsoft/hve-core)Tasks
- Create
.github/workflows/scorecard.yml - Add SHA to
scripts/security/tool-checksums.json - Verify workflow runs successfully on main branch
- Confirm results publish to Scorecard API
- Add Scorecard badge to README (position 3, between CodeQL and OpenSSF Best Practices)
Acceptance Criteria
- Workflow runs on schedule and push to main
- SARIF results upload to Security tab
- Badge displays current score at
api.scorecard.dev - Results visible at
scorecard.dev/viewer/?uri=github.com/microsoft/hve-core
Future Improvements
Higher-priority items to improve Scorecard score:
- Signed-Releases (+1.0 aggregate) -
sigstore/cosign-installer - SBOM (+0.5 aggregate) -
anchore/sbom-action
Related
- Prerequisite: Add professional status badges to README header #258 (initial badge implementation)
- Research:
.copilot-tracking/research/20260123-issue-258-badge-strategy-research.md