From 5082a7889edf342f29e87cfd45c56140f1464e8c Mon Sep 17 00:00:00 2001
From: HumzahJavid <25638011+HumzahJavid@users.noreply.github.com>
Date: Thu, 19 Sep 2024 13:41:00 +0100
Subject: [PATCH] Update docs with scorecard command and add harden runner step
 to scorecard workflow

---
 .github/workflows/scorecard.yml | 13 +++++++++++++
 README.md                       |  4 ++++
 2 files changed, 17 insertions(+)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index c7cde13..b65a4d0 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -5,7 +5,10 @@
 name: Scorecard supply-chain security
 on:
   # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
   branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
     - cron: '00 18 * * 3'
   push:
@@ -18,10 +21,19 @@ jobs:
     name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
+      # Needed to upload the results to code-scanning dashboard.
       security-events: write
+      # Needed to publish results
       id-token: write
+      contents: read
+      actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        with:
+          egress-policy: audit
+
       - name: 'Checkout code'
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
@@ -41,6 +53,7 @@ jobs:
           path: results.sarif
           retention-days: 5
 
+      # Upload the results to GitHub's code scanning dashboard.
       - name: 'Upload to code-scanning'
         uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
         with:
diff --git a/README.md b/README.md
index 502f092..c627abb 100644
--- a/README.md
+++ b/README.md
@@ -112,6 +112,10 @@ Comments have been included to allow override the logic and temporarily test aga
 
 ## Misc local commands
 
+### Running scorecard (via docker)
+
+`docker run -e GITHUB_AUTH_TOKEN=<github PAT> gcr.io/openssf/scorecard --repo=https://github.com/fiaisis/admin-portal`
+
 ### Formatting code via prettier
 
 `yarn run prettier --config prettierrc.json --check **/*.{js,tsx,ts}` - dry run prettier