RandomCodeSpace · aksOps · May 1, 2026 · May 1, 2026 · May 1, 2026
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,75 @@
+name: OpenSSF Scorecard
+
+# Runs the OpenSSF Scorecard supply-chain check on every push to main
+# and weekly. Results are uploaded to GitHub's code-scanning surface
+# (visible at /security/code-scanning) AND published to the public
+# Scorecard registry at api.scorecard.dev so the README badge shows
+# the live score.
+#
+# Required repo settings:
+# - Settings → Actions → General → Workflow permissions: at least
+#   "Read repository contents and packages permissions" (default).
+# - Settings → Code security → Code scanning: enabled (so SARIF
+#   uploads land somewhere).
+# - The workflow grants `id-token: write` so the action can mint an
+#   OIDC token signed by GitHub and use it as proof-of-identity when
+#   pushing results to the Scorecard API. No long-lived secret needed.
+
+on:
+  branch_protection_rule:
+  push:
+    branches: [main]
+  schedule:
+    # Weekly so the score reflects security-relevant changes (new
+    # deps, new releases, branch-protection edits) even when there's
+    # no push for a few days. Tuesdays 03:00 UTC keeps it off the
+    # busy weekday-morning window.
+    - cron: "0 3 * * 2"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Required for upload-sarif → /security/code-scanning.
+      security-events: write
+      # Required for OIDC publish_results=true → api.scorecard.dev.
+      id-token: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout
+        # actions/checkout@v4 = b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        # ossf/scorecard-action@v2.4.3
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # publish_results=true sends the score to the public registry
+          # so the README badge resolves. It is also a public-good
+          # contribution — anyone evaluating ctm's supply-chain posture
+          # can read the breakdown without re-running the tool.
+          publish_results: true
+
+      - name: Upload artifact
+        # actions/upload-artifact@v7.0.1
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload to code-scanning
+        # github/codeql-action/upload-sarif@v4.35.2
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225
+        with:
+          sarif_file: results.sarif
diff --git a/README.md b/README.md
@@ -7,8 +7,30 @@
   <a href="https://goreportcard.com/report/github.com/RandomCodeSpace/ctm"><img src="https://goreportcard.com/badge/github.com/RandomCodeSpace/ctm" alt="Go Report Card"></a>
   <img src="https://img.shields.io/github/go-mod/go-version/RandomCodeSpace/ctm?color=00ADD8&label=go" alt="Go version">
   <a href="https://github.com/RandomCodeSpace/ctm/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-green" alt="License MIT"></a>
+  <a href="https://scorecard.dev/viewer/?uri=github.com/RandomCodeSpace/ctm"><img src="https://api.scorecard.dev/projects/github.com/RandomCodeSpace/ctm/badge" alt="OpenSSF Scorecard"></a>
 </p>
 
+<!--
+OpenSSF Best Practices badge — one-time setup, then add the markup
+back into the badge row above:
+
+  1. Sign in with GitHub at https://www.bestpractices.dev/en/projects/new
+  2. Submit the project; the form assigns a numeric PROJECT_ID and
+     opens the criteria checklist (passing / silver / gold tiers).
+  3. Add the following to the <p align="center"> block above (replace
+     PROJECT_ID with the assigned number):
+
+        <a href="https://www.bestpractices.dev/projects/PROJECT_ID">
+          <img src="https://www.bestpractices.dev/projects/PROJECT_ID/badge"
+               alt="OpenSSF Best Practices">
+        </a>
+
+The badge auto-updates as criteria are checked off — no CI integration
+required (unlike the Scorecard badge, which is updated by the
+.github/workflows/scorecard.yml workflow on every push to main).
+-->
+
+
 <p align="center">
   <a href="#quickstart">Quickstart</a> ·
   <a href="#commands">Commands</a> ·