From 7b610af197281583b1f2f1bc59a3a730e38428ae Mon Sep 17 00:00:00 2001
From: Jannik Hollenbach
Date: Mon, 25 Aug 2025 16:53:28 +0200
Subject: [PATCH 1/2] Replace sync badge with OpenSSF Scorecard Badge +
Workflow to automatically update and generate it
Following docs from github.com/ossf/scorecard-action
Signed-off-by: Jannik Hollenbach
---
.github/workflows/oss-scorecard.yaml | 34 ++++++++++++++++++++++++++++
README.md | 2 +-
2 files changed, 35 insertions(+), 1 deletion(-)
create mode 100644 .github/workflows/oss-scorecard.yaml
diff --git a/.github/workflows/oss-scorecard.yaml b/.github/workflows/oss-scorecard.yaml
new file mode 100644
index 0000000000..bd8e435bba
--- /dev/null
+++ b/.github/workflows/oss-scorecard.yaml
@@ -0,0 +1,34 @@
+name: Scorecards supply-chain security
+on:
+ push:
+ branches:
+ - main
+
+permissions: read-all
+
+jobs:
+ analysis:
+ name: Scorecards analysis
+ runs-on: ubuntu-latest
+ permissions:
+ security-events: write
+ id-token: write
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+ with:
+ persist-credentials: false
+
+ - name: "Run analysis"
+ uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+ with:
+ results_file: results.sarif
+ results_format: sarif
+ publish_results: true
+
+ # Upload the results to GitHub's code scanning dashboard.
+ - name: "Upload to code-scanning"
+ uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+ with:
+ sarif_file: results.sarif
diff --git a/README.md b/README.md
index 3e0dfd4cc4..545c6abda2 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@ SPDX-License-Identifier: Apache-2.0
-
+
From 767beeb949c743ef2d8e116056584ed574a29838 Mon Sep 17 00:00:00 2001
From: Jannik Hollenbach
Date: Mon, 25 Aug 2025 17:07:54 +0200
Subject: [PATCH 2/2] Add license header
Signed-off-by: Jannik Hollenbach
---
.github/workflows/oss-scorecard.yaml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/.github/workflows/oss-scorecard.yaml b/.github/workflows/oss-scorecard.yaml
index bd8e435bba..42b2132e74 100644
--- a/.github/workflows/oss-scorecard.yaml
+++ b/.github/workflows/oss-scorecard.yaml
@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
name: Scorecards supply-chain security
on:
push: