Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: Add security-gates and update README#59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Closed
emrecanvurallll wants to merge3 commits intomasterfromadd-security-gates
Closed
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions.github/workflows/scorecard.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@

name: Scorecard supply-chain security

on:
branch_protection_rule:
schedule:
- cron: '29 23 * * 3'
push:
branches: [ "main", "master"]
pull_request:
branches: ["main", "master"]

permissions: read-all

jobs:
visibility-check:
# Bu job, deponun public/private olduğunu belirler
outputs:
visibility: ${{ steps.drv.outputs.visibility }}
runs-on: ubuntu-latest
steps:
- name: Determine repository visibility
id: drv
run: |
visibility=$(gh api /repos/$GITHUB_REPOSITORY --jq '.visibility')
echo "visibility=$visibility" >> $GITHUB_OUTPUT
env:
GH_TOKEN: ${{ github.token }}

analysis:
if: ${{ needs.visibility-check.outputs.visibility == 'public' }}
needs: visibility-check
runs-on: ubuntu-latest
permissions:
security-events: write
id-token: write
steps:
- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736
with:
results_file: results.sarif
results_format: sarif
publish_results: true

- name: "Upload artifact"
uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db
with:
name: SARIF file
path: results.sarif
retention-days: 5

- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v3

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 2: GitHub-owned GitHubAction not pinned by hash
Click Remediation section below to solve this issue
with:
sarif_file: results.sarif


21 changes: 21 additions & 0 deletions.github/workflows/security-gates.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
name: Security Gates

Check failure

Code scanning / Scorecard

Token-Permissions High

score is 0: no topLevel permission defined
Remediation tip: Visithttps://app.stepsecurity.io/secureworkflow.
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visithttps://app.stepsecurity.io/securerepo instead.
Click Remediation section below for further remediation help

on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]

jobs:
validate:
runs-on: ubuntu-latest
steps:
- name: Validate Workflow
run: echo "Validation successful"

security-gates:
uses: Trendyol/security-actions/.github/workflows/security-gates.yml@master
permissions:
actions: read
contents: read
security-events: write

Check failure

Code scanning / Scorecard

Token-Permissions High

score is 0: jobLevel 'security-events' permission set to 'write'
Remediation tip: Verify which permissions are needed and consider whether you can reduce them.
Click Remediation section below for further remediation help
2 changes: 2 additions & 0 deletionsREADME.md
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@

[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/Trendyol/medusa/badge)](https://scorecard.dev/viewer/?uri=github.com/Trendyol/medusa)
<img src="https://raw.githubusercontent.com/Trendyol/medusa/master/art/medusaicon.png"/>

Fragment manager for your Single Activity - Multi Fragment app.
Expand Down
[8]ページ先頭
©2009-2025 Movatter.jp