Skip to content

feat(security): add OpenSSF Scorecard workflow and badge#271

Merged
WilliamBerryiii merged 1 commit intomainfrom
wberry/openssf-scorecard-269
Jan 24, 2026
Merged

feat(security): add OpenSSF Scorecard workflow and badge#271
WilliamBerryiii merged 1 commit intomainfrom
wberry/openssf-scorecard-269

Conversation

@WilliamBerryiii
Copy link
Copy Markdown
Member

@WilliamBerryiii WilliamBerryiii commented Jan 24, 2026

feat(security): add OpenSSF Scorecard workflow and badge

Description

Add automated OpenSSF Scorecard analysis to the repository for continuous security posture assessment. The workflow runs on pushes to main and weekly on Sundays, publishing results to the GitHub Security tab and displaying a live badge in the README.

  • Added scorecard.yml GitHub Actions workflow with SHA-pinned actions
  • Configured scorecard-action to publish results to OpenSSF
  • Integrated SARIF upload to GitHub Security tab for code scanning visibility
  • Added job summary with links to Scorecard badge viewer
  • Added OpenSSF Scorecard badge to README header section

Related Issue(s)

Closes #269

Type of Change

Select all that apply:

Code & Documentation:

  • Bug fix (non-breaking change fixing an issue)
  • New feature (non-breaking change adding functionality)
  • Breaking change (fix or feature causing existing functionality to change)
  • Documentation update

Infrastructure & Configuration:

  • GitHub Actions workflow
  • Linting configuration (markdown, PowerShell, etc.)
  • Security configuration
  • DevContainer configuration
  • Dependency update

AI Artifacts:

  • Reviewed contribution with prompt-builder agent and addressed all feedback
  • Copilot instructions (.github/instructions/*.instructions.md)
  • Copilot prompt (.github/prompts/*.prompt.md)
  • Copilot agent (.github/agents/*.agent.md)

Note for AI Artifact Contributors:

  • Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
  • Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
  • See Agents Not Accepted and Model Version Requirements.

Other:

  • Script/automation (.ps1, .sh, .py)
  • Other (please describe):

Testing

  • Verified workflow YAML syntax and structure
  • All actions are SHA-pinned with version comments for auditability
  • Linting passed via npm run lint:all

Checklist

Required Checks

  • Documentation is updated (if applicable)
  • Files follow existing naming conventions
  • Changes are backwards compatible (if applicable)
  • Tests added for new functionality (if applicable)

Required Automated Checks

The following validation commands must pass before merging:

  • Markdown linting: npm run lint:md
  • Spell checking: npm run spell-check
  • Frontmatter validation: npm run lint:frontmatter
  • Link validation: npm run lint:md-links
  • PowerShell analysis: npm run lint:ps

Security Considerations

  • This PR does not contain any sensitive or NDA information
  • Any new dependencies have been reviewed for security issues
  • Security-related scripts follow the principle of least privilege

Additional Notes

All GitHub Actions in the workflow are SHA-pinned per repository security policy:

  • actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 (v4.2.2)
  • ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a (v2.4.3)
  • github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a (v3.27.0)
  • actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 (v4.4.3)

🔒 - Generated by Copilot

@WilliamBerryiii WilliamBerryiii requested a review from a team as a code owner January 24, 2026 05:41
Copilot AI review requested due to automatic review settings January 24, 2026 05:41
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jan 24, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 8e8c483db84b4bee98b60c0593521ed34d9990e8 🟢 6.6
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 79 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7
Code-Review🟢 10all changesets reviewed
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Vulnerabilities🟢 82 existing vulnerabilities detected
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/upload-artifact b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 🟢 6.4
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 1029 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST🟢 9SAST tool detected but not run on all commits
Vulnerabilities🟢 91 existing vulnerabilities detected
actions/github/codeql-action/upload-sarif ce729e4d353d580e6cacd6a8cf2921b72e5e310a UnknownUnknown
actions/ossf/scorecard-action 4eaacf0543bb3f2c246792bd56e8cdeffafb205a 🟢 9.1
Details
CheckScoreReason
Dependency-Update-Tool🟢 10update tool detected
Security-Policy🟢 10security policy file detected
Maintained🟢 1017 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Code-Review🟢 10all changesets reviewed
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies🟢 9dependency not pinned by hash detected -- score normalized to 9
License🟢 10license file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Signed-Releases⚠️ -1no releases found
Packaging🟢 10packaging workflow detected
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST🟢 10SAST tool is run on all commits
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 16 contributing companies or organizations

Scanned Files

  • .github/workflows/scorecard.yml

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Jan 24, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 28.83%. Comparing base (ccb68a4) to head (38b499b).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #271      +/-   ##
==========================================
+ Coverage   28.80%   28.83%   +0.03%     
==========================================
  Files          14       14              
  Lines        2736     2736              
==========================================
+ Hits          788      789       +1     
+ Misses       1948     1947       -1
Flag Coverage Δ
pester 28.83% <ø> (+0.03%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copilot AI reviewed Jan 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds OpenSSF Scorecard automation to continuously assess the repo’s security posture and surfaces the Scorecard badge in the README.

Changes:

  • Added a new GitHub Actions workflow to run OpenSSF Scorecard on main pushes and on a weekly schedule, uploading results as SARIF.
  • Added an OpenSSF Scorecard badge near the top of the README.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
.github/workflows/scorecard.yml Adds a scheduled + post-merge Scorecard run, publishes SARIF results, and uploads artifacts.
README.md Displays the OpenSSF Scorecard badge linking to the Scorecard viewer.

@WilliamBerryiii WilliamBerryiii force-pushed the wberry/openssf-scorecard-269 branch from a0e13f5 to 3b05a67 Compare January 24, 2026 05:58
katriendg
katriendg approved these changes Jan 24, 2026
View reviewed changes
Copilot AI review requested due to automatic review settings January 24, 2026 21:23
@WilliamBerryiii WilliamBerryiii force-pushed the wberry/openssf-scorecard-269 branch from 3b05a67 to 20e93e9 Compare January 24, 2026 21:23
Copilot AI reviewed Jan 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

@WilliamBerryiii
feat(security): add OpenSSF Scorecard workflow and badge
38b499b 
- add scorecard.yml workflow with SHA-pinned actions
- add SARIF category for distinct Code Scanning grouping
- add continue-on-error for resilient SARIF uploads
- set 90-day artifact retention for security auditability
- add Scorecard badge to README.md
- document workflow in .github/workflows/README.md

🔒 - Generated by Copilot
@WilliamBerryiii WilliamBerryiii force-pushed the wberry/openssf-scorecard-269 branch from 20e93e9 to 38b499b Compare January 24, 2026 21:28
@WilliamBerryiii WilliamBerryiii merged commit 7c6d788 into main Jan 24, 2026
16 checks passed
@WilliamBerryiii WilliamBerryiii deleted the wberry/openssf-scorecard-269 branch January 24, 2026 21:30
@hve-core-release-please hve-core-release-please bot mentioned this pull request Jan 24, 2026
Merged
WilliamBerryiii pushed a commit that referenced this pull request Jan 28, 2026
@hve-core-release-please
chore(main): release hve-core 2.0.0 (#212)
672d36b 
🤖 I have created a release *beep* *boop*
---


##
[2.0.0](hve-core-v1.1.0...hve-core-v2.0.0)
(2026-01-28)


### ⚠ BREAKING CHANGES

* **agents:** add Task Reviewer and expand RPI to 4-phase workflow
([#277](#277))

### ✨ Features

* **agents:** add hve-core-installer agent to extension package
([#297](#297))
([c0e48c6](c0e48c6))
* **agents:** add Task Reviewer and expand RPI to 4-phase workflow
([#277](#277))
([ae76cab](ae76cab))
* **build:** add code coverage reporting to Pester workflow
([#230](#230))
([a34822a](a34822a))
* **docs:** add GOVERNANCE.md for OSSF Silver Badge compliance
([#235](#235))
([b0e752c](b0e752c))
* **docs:** add ROADMAP.md for OSSF Silver badge compliance
([#238](#238))
([4a41c16](4a41c16))
* **mcp:** add MCP server configuration guidance and installer
enhancements ([#225](#225))
([0bce418](0bce418))
* **scripts:** add YAML linting with actionlint
([#234](#234))
([d9301f9](d9301f9))
* **security:** add OpenSSF Scorecard workflow and badge
([#271](#271))
([7c6d788](7c6d788))
* **skills:** add video-to-gif conversion skill with FFmpeg two-pass
optimization ([#247](#247))
([8d65c42](8d65c42))
* **tests:** add Pester tests for LintingHelpers and
Validate-MarkdownFrontmatter
([#197](#197),
[#198](#198))
([#205](#205))
([51ae563](51ae563))


### 🐛 Bug Fixes

* **build:** detect table formatting changes via git diff
([#261](#261))
([985eee0](985eee0))
* **build:** disable MD024 lint rule in CHANGELOG for release-please
([#220](#220))
([971df94](971df94))
* **build:** quote shell variables and group redirects in workflow files
([#299](#299))
([3372509](3372509))
* **build:** resolve scorecard badge and workflow security issues
([#301](#301))
([aeaed13](aeaed13))
* **extension:** remove frontmatter from README and exclude from
markdown linting
([#223](#223))
([4272529](4272529))
* **instructions:** quote applyTo glob pattern for YAML compatibility
([#216](#216))
([085199c](085199c))
* **scripts:** add FooterExcludePaths parameter to frontmatter
validation ([#334](#334))
([64db98d](64db98d))
* **scripts:** add GHSA word and logs/ exclusion to cspell config
([#214](#214))
([5c99b3f](5c99b3f))
* **scripts:** correct type assertions in Invoke-YamlLint.Tests.ps1
([#332](#332))
([af7050d](af7050d))
* **scripts:** eliminate false positives in dependency pinning npm
pattern ([#273](#273))
([ccbdfa3](ccbdfa3))
* **security:** add artifact attestation for signed releases
([#257](#257))
([c52d6e2](c52d6e2))
* standardize markdown footers and complete frontmatter
([#217](#217))
([b4e7556](b4e7556))


### 📚 Documentation

* add OpenSSF Best Practices Passing badge to README
([#239](#239))
([91bc529](91bc529))
* **architecture:** add architecture documentation and value proposition
([#252](#252))
([0e4b02f](0e4b02f))
* **contributing:** add testing requirements for OSSF compliance
([#254](#254))
([4db1a18](4db1a18))
* **docs:** add enterprise status badges to README header
([#270](#270))
([ccb68a4](ccb68a4))
* **security:** add security assurance case and threat model for OSSF
Silver ([#259](#259))
([a390e26](a390e26))


### ♻️ Refactoring

* **application:** wrap execution with try blocks, ensure proper …
([#296](#296))
([35c4417](35c4417))
* **scripts:** extract frontmatter validation to testable module
([#293](#293))
([4e8707e](4e8707e))
* **scripts:** extract pure functions for Pester testability
([#221](#221))
([d40e742](d40e742))


### 🔧 Maintenance

* **deps-dev:** bump cspell from 9.4.0 to 9.6.0 in the npm-dependencies
group ([#208](#208))
([855914b](855914b))
* **deps-dev:** bump cspell from 9.6.0 to 9.6.1 in the npm-dependencies
group ([#294](#294))
([1e45ad6](1e45ad6))
* **deps:** bump actions/setup-node from 6.1.0 to 6.2.0 in the
github-actions group
([#209](#209))
([c4c69e2](c4c69e2))
* **deps:** bump the github-actions group with 4 updates
([#295](#295))
([d8337b8](d8337b8))
* remove step-security/harden-runner from workflows
([#246](#246))
([c5708d8](c5708d8))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: hve-core-release-please[bot] <254602402+hve-core-release-please[bot]@users.noreply.github.com>
This was referenced Jan 28, 2026
Closed
Closed
This was referenced Feb 6, 2026
Closed
Closed
Closed
Closed
This was referenced Feb 13, 2026
Closed
Closed
Closed
Closed
Closed
Closed
@hve-core-release-please hve-core-release-please bot mentioned this pull request Feb 17, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@katriendg katriendg katriendg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement OpenSSF Scorecard workflow and badge

4 participants

@WilliamBerryiii @codecov-commenter @katriendg