From 8b8e8c366decb54a554d6777895ea7934ead1484 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Tue, 21 Feb 2023 09:08:00 -0800 Subject: [PATCH] scorecard debugging Signed-off-by: Brian DeHamer --- .github/workflows/scorecard-debug.yml | 53 +++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/scorecard-debug.yml diff --git a/.github/workflows/scorecard-debug.yml b/.github/workflows/scorecard-debug.yml new file mode 100644 index 00000000..af9cf43f --- /dev/null +++ b/.github/workflows/scorecard-debug.yml @@ -0,0 +1,53 @@ +name: debug 1076 +on: workflow_dispatch + +permissions: read-all + +jobs: + analysis: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + + steps: + - name: "Checkout code" + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=3.0.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # tag=v2.0.4 + with: + results_file: results.sarif + results_format: sarif + publish_results: false + + - name: "Debug" + run: | + echo "ANALYSIS(debug):" + cat results.sarif | jq + + debug: + runs-on: ubuntu-latest + steps: + - name: test + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + ENABLE_SARIF: 1 + SCORECARD_EXPERIMENTAL: 1 + run: | + gh -R ossf/scorecard release download v4.10.2 -p "scorecard_4.10.2_linux_amd64.tar.gz" + tar xvzf scorecard_4.10.2_linux_amd64.tar.gz + chmod u+x scorecard-linux-amd64 + curl https://raw.githubusercontent.com/ossf/scorecard-action/main/policies/template.yml > policy.yml + + echo + + echo "SARIF(debug):" + ./scorecard-linux-amd64 --repo=deislabs/ratify --format sarif --show-details --policy ./policy.yml | jq + + echo + + echo "JSON(debug):" + ./scorecard-linux-amd64 --repo=deislabs/ratify --format json --show-details --policy ./policy.yml | jq