Confirmed users
1,364
edits
GitHub/Repository Security/GitHub Workflows & Actions: Difference between revisions
GitHub/Repository Security/GitHub Workflows & Actions (view source)
Revision as of 18:15, 22 October 2024
, 22 October 2024added harden-runner info
(Add OpenSSF article) |
(added harden-runner info) |
||
| Line 44: | Line 44: | ||
** “Must correct” findings as of 2024-06-12 include | ** “Must correct” findings as of 2024-06-12 include | ||
*** [https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow Dangerous Workflow] | *** [https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow Dangerous Workflow] | ||
** '''''Note:''''' While the action | ** '''''Note:''''' While the <code>ossf/scorecard-action</code> (and [https://github.com/ossf/scorecard-action?tab=readme-ov-file#restrictions-on-the-job-containing-ossfscorecard-action its dependency] <code>step-security/harden-runner</code>) been approved for use in all organizations, it may not yet have been added to an organization you are working in. If you receive a message that the action is not available, please follow [[GitHub#github_actions|these instructions]] to have it added. | ||
* [https://github.com/synacktiv/octoscan Synacktiv's octoscan], which can check workflows on all branches locally. | * [https://github.com/synacktiv/octoscan Synacktiv's octoscan], which can check workflows on all branches locally. | ||