OSSF Scorecard Azure Pipelines Task
An Azure Pipelines task that runs OpenSSF Scorecard to evaluate the security posture of your repository.
What is OpenSSF Scorecard?
OpenSSF Scorecard is an automated tool that assesses projects for security risks through a series of checks. It evaluates projects based on security practices and provides a score and recommendations for improvement. For detailed information about each check, visit the Scorecard documentation.
Quick Start
Add the following task to your Azure Pipeline:
- task: Scorecard@0
displayName: 'Run OpenSSF Scorecard'
| Input |
Required |
Default |
Description |
repoToken |
Yes |
$(System.AccessToken) |
Azure DevOps PAT with read access to the repository |
resultsFormat |
No |
sarif |
Output format for results (sarif or json) |
resultsFile |
No |
Auto-generated |
Path where results will be saved |
repoToken
The Azure DevOps Personal Access Token used to access the repository. The default $(System.AccessToken) is automatically provided by Azure DevOps and has appropriate permissions for most scenarios.
Choose between:
sarif - Static Analysis Results Interchange Format (recommended for integration with security tools)json - Standard JSON format
resultsFile
If not specified, the task will generate a filename based on the format:
- SARIF format:
scorecard-results.sarif
- JSON format:
scorecard-results.json
Complete Pipeline Example
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- checkout: self
- task: Scorecard@0
displayName: 'Run OpenSSF Scorecard'
inputs:
repoToken: $(System.AccessToken)
resultsFormat: 'sarif'
resultsFile: 'scorecard-results.sarif'
- task: AdvancedSecurity-Publish@1
displayName: 'Publish Scorecard Results'
Integration with GitHub Advanced Security for Azure DevOps
The Scorecard task integrates with GitHub Advanced Security for Azure DevOps through the AdvancedSecurity-Publish@1 task. This integration allows you to view OpenSSF Scorecard security findings directly in Azure DevOps alongside other security scanning results.
For more information, see Integrate non-Microsoft scanning tools in the Azure DevOps documentation.
License
This project is licensed under the Apache 2.0 License - see the LICENSE file for details.
