From de0253de537cb07a14e248525a724bdf9d4d022a Mon Sep 17 00:00:00 2001 From: Emre Can Vural Date: Mon, 3 Feb 2025 11:49:26 +0300 Subject: [PATCH 1/3] Add security-gates workflow and update README --- .github/workflows/security-gates.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/security-gates.yml diff --git a/.github/workflows/security-gates.yml b/.github/workflows/security-gates.yml new file mode 100644 index 0000000..69c3aad --- /dev/null +++ b/.github/workflows/security-gates.yml @@ -0,0 +1,21 @@ +name: Security Gates + +on: + push: + branches: [main, master] + pull_request: + branches: [main, master] + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Validate Workflow + run: echo "Validation successful" + + security-gates: + uses: Trendyol/security-actions/.github/workflows/security-gates.yml@master + permissions: + actions: read + contents: read + security-events: write From 2433a6ed19bb16e6a9619d6fe6dc2d95f8e9a508 Mon Sep 17 00:00:00 2001 From: Emre Can Vural Date: Mon, 3 Feb 2025 11:49:27 +0300 Subject: [PATCH 2/3] Add security-gates workflow and update README --- .github/workflows/scorecard.yml | 62 +++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..59218ee --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,62 @@ + +name: Scorecard supply-chain security + +on: + branch_protection_rule: + schedule: + - cron: '29 23 * * 3' + push: + branches: [ "main", "master"] + pull_request: + branches: ["main", "master"] + +permissions: read-all + +jobs: + visibility-check: + # Bu job, deponun public/private olduğunu belirler + outputs: + visibility: ${{ steps.drv.outputs.visibility }} + runs-on: ubuntu-latest + steps: + - name: Determine repository visibility + id: drv + run: | + visibility=$(gh api /repos/$GITHUB_REPOSITORY --jq '.visibility') + echo "visibility=$visibility" >> $GITHUB_OUTPUT + env: + GH_TOKEN: ${{ github.token }} + + analysis: + if: ${{ needs.visibility-check.outputs.visibility == 'public' }} + needs: visibility-check + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + + From 190dc21adf123fe7a2846f2d8187a8291d801d65 Mon Sep 17 00:00:00 2001 From: Emre Can Vural Date: Mon, 3 Feb 2025 11:49:29 +0300 Subject: [PATCH 3/3] Add security-gates workflow and update README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 513e5a7..5323b08 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ + +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/Trendyol/kubernetes-operator-api/badge)](https://scorecard.dev/viewer/?uri=github.com/Trendyol/kubernetes-operator-api) # Kubernetes Operator Api The Kubernetes API is a sample Kubernetes operator API using the Java Kubernetes Client.