diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..59218ee --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,62 @@ + +name: Scorecard supply-chain security + +on: + branch_protection_rule: + schedule: + - cron: '29 23 * * 3' + push: + branches: [ "main", "master"] + pull_request: + branches: ["main", "master"] + +permissions: read-all + +jobs: + visibility-check: + # Bu job, deponun public/private olduğunu belirler + outputs: + visibility: ${{ steps.drv.outputs.visibility }} + runs-on: ubuntu-latest + steps: + - name: Determine repository visibility + id: drv + run: | + visibility=$(gh api /repos/$GITHUB_REPOSITORY --jq '.visibility') + echo "visibility=$visibility" >> $GITHUB_OUTPUT + env: + GH_TOKEN: ${{ github.token }} + + analysis: + if: ${{ needs.visibility-check.outputs.visibility == 'public' }} + needs: visibility-check + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + + diff --git a/.github/workflows/security-gates.yml b/.github/workflows/security-gates.yml new file mode 100644 index 0000000..69c3aad --- /dev/null +++ b/.github/workflows/security-gates.yml @@ -0,0 +1,21 @@ +name: Security Gates + +on: + push: + branches: [main, master] + pull_request: + branches: [main, master] + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Validate Workflow + run: echo "Validation successful" + + security-gates: + uses: Trendyol/security-actions/.github/workflows/security-gates.yml@master + permissions: + actions: read + contents: read + security-events: write diff --git a/README.md b/README.md index 513e5a7..5323b08 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ + +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/Trendyol/kubernetes-operator-api/badge)](https://scorecard.dev/viewer/?uri=github.com/Trendyol/kubernetes-operator-api) # Kubernetes Operator Api The Kubernetes API is a sample Kubernetes operator API using the Java Kubernetes Client.