OSSF Scorecard Azure Pipelines Task

An Azure Pipelines task that runs OpenSSF Scorecard to evaluate the security posture of your repository.

What is OpenSSF Scorecard?

OpenSSF Scorecard is an automated tool that assesses projects for security risks through a series of checks. It evaluates projects based on security practices and provides a score and recommendations for improvement. For detailed information about each check, visit the Scorecard documentation.

Quick Start

Add the following task to your Azure Pipeline:

- task: Scorecard@0
  displayName: 'Run OpenSSF Scorecard'

Task Inputs

Input	Required	Default	Description
`repoToken`	Yes	`$(System.AccessToken)`	Azure DevOps PAT with read access to the repository
`resultsFormat`	No	`sarif`	Output format for results (`sarif` or `json`)
`resultsFile`	No	Auto-generated	Path where results will be saved

Inputs

`repoToken`

The Azure DevOps Personal Access Token used to access the repository. The default $(System.AccessToken) is automatically provided by Azure DevOps and has appropriate permissions for most scenarios.

`resultsFormat`

Choose between:

sarif - Static Analysis Results Interchange Format (recommended for integration with security tools)
json - Standard JSON format

`resultsFile`

If not specified, the task will generate a filename based on the format:

SARIF format: scorecard-results.sarif
JSON format: scorecard-results.json

Complete Pipeline Example

trigger:
- main

pool:
  vmImage: 'ubuntu-latest'

steps:
- checkout: self

- task: Scorecard@0
  displayName: 'Run OpenSSF Scorecard'
  inputs:
    repoToken: $(System.AccessToken)
    resultsFormat: 'sarif'
    resultsFile: 'scorecard-results.sarif'

- task: AdvancedSecurity-Publish@1
  displayName: 'Publish Scorecard Results'

Integration with GitHub Advanced Security for Azure DevOps

The Scorecard task integrates with GitHub Advanced Security for Azure DevOps through the AdvancedSecurity-Publish@1 task. This integration allows you to view OpenSSF Scorecard security findings directly in Azure DevOps alongside other security scanning results.

For more information, see Integrate non-Microsoft scanning tools in the Azure DevOps documentation.

License

This project is licensed under the Apache 2.0 License - see the LICENSE file for details.

Related Projects

OpenSSF Scorecard - The main Scorecard project
Scorecard GitHub Action - GitHub Action version
Scorecard Monitor - Continuous monitoring tool

Name		Name	Last commit message	Last commit date
Latest commit History 107 Commits
.github		.github
assets		assets
src		src
.gitignore		.gitignore
.npmrc		.npmrc
LICENSE		LICENSE
README.md		README.md
SECURITY.md		SECURITY.md
biome.json		biome.json
esbuild.mjs		esbuild.mjs
package.json		package.json
pnpm-lock.yaml		pnpm-lock.yaml
tsconfig.json		tsconfig.json
vss-extension.json		vss-extension.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

OSSF Scorecard Azure Pipelines Task

What is OpenSSF Scorecard?

Quick Start

Task Inputs

Inputs

`repoToken`

`resultsFormat`

`resultsFile`

Complete Pipeline Example

Integration with GitHub Advanced Security for Azure DevOps

License

Related Projects

About

Uh oh!

Releases 17

Uh oh!

Contributors 2

Languages

License

JamieMagee/scorecard-azure-pipelines-task

Folders and files

Latest commit

History

Repository files navigation

OSSF Scorecard Azure Pipelines Task

What is OpenSSF Scorecard?

Quick Start

Task Inputs

Inputs

repoToken

resultsFormat

resultsFile

Complete Pipeline Example

Integration with GitHub Advanced Security for Azure DevOps

License

Related Projects

About

Topics

Resources

License

Security policy

Uh oh!

Stars

Watchers

Forks

Releases 17

Uh oh!

Contributors 2

Languages

`repoToken`

`resultsFormat`

`resultsFile`