AOSSIE-Org · kpj2006 · Mar 28, 2026 · Mar 28, 2026
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,103 @@
+name: Scorecard supply-chain security
+
+# ⚠️ API INTEGRITY RULES (enforced when publish_results: true):
+#   - NO top-level `env:` or `defaults:` blocks in this file
+#   - NO workflow-level write permissions
+#   - ONLY this job may use id-token: write
+# Violating any of these causes the publish step to be REJECTED by api.scorecard.dev
+
+on:
+  branch_protection_rule:
+
+  schedule:
+    - cron: '23 8 * * 6'
+
+  push:
+    # Branch-Protection check ONLY works on the default branch(Must match your actual default branch).
+    branches: ["dev"]
+
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest 
+
+    if: |
+      !github.event.repository.fork &&
+      (github.event.repository.default_branch == github.ref_name ||
+       github.event_name == 'workflow_dispatch' ||
+       github.event_name == 'pull_request')
+
+    permissions:
+      security-events: write
+      id-token: write
+      actions: read
+      # Uncomment for PRIVATE repositories.
+      # contents: read
+
+    steps:
+      - name: "Harden Runner"
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          disable-sudo-and-containers: false
+          # MAINTAINER CHOICE: Use "audit" first to discover needed endpoints,
+          # then switch to "block" once confirmed stable.
+          egress-policy: block
+          # MAINTAINER CHOICE: Add project-specific endpoints if your stack
+          # needs private registries, package mirrors, etc.
+          allowed-endpoints: >
+            github.com:443
+            api.github.com:443
+            index.docker.io:443
+            www.bestpractices.dev:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            api.osv.dev:443
+            api.deps.dev:443
+            fulcio.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            rekor.sigstore.dev:443
+            auth.docker.io:443
+            api.scorecard.dev:443
+
+      - name: "Checkout code"
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+
+          # MAINTAINER CHOICE: Uncomment + add secret if:
+          #   - PUBLIC repo wanting Branch-Protection check, OR
+          #   - PRIVATE repo (needs full `repo` scope, not just `public_repo`)
+          # PAT scopes needed: public_repo (public) OR repo (private)
+          # If org uses SAML SSO, also enable SSO on this PAT.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # MAINTAINER CHOICE: true = enables badge + publishes to api.scorecard.dev
+          # After first run, add this badge to your README.md:
+          # [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/{owner}/{repo}/badge)](https://scorecard.dev/viewer/?uri=github.com/{owner}/{repo})
+          publish_results: true
+
+          # MAINTAINER CHOICE: "archive" (default) is faster.
+          # Switch to "git" only if your repo uses .gitattributes export-ignore
+          # directives that cause files to be excluded from the archive download.
+          # file_mode: archive
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: results.sarif
diff --git a/README.md b/README.md
@@ -43,6 +43,10 @@
 <!-- Youtube -->
 <a href="https://www.youtube.com/@AOSSIE-Org">
   <img src="https://img.shields.io/youtube/channel/subscribers/UCKVVLbawY7Gej_3o2WKsoiA?style=flat&logo=youtube&logoColor=white%20&logoSize=auto&labelColor=FF0000&color=FF0000" alt="Youtube Badge"></a>
+
+
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/{owner}/{repo}/badge)](https://scorecard.dev/viewer/?uri=github.com/{owner}/{repo})
+
 </p>
 
 ---