Add GHA for scorecard analysis (OpenSSF) (#66)

Signed-off-by: Marikkannu, Suresh <[email protected]>

Author: sureshmarikkannu

.github/CODEOWNERS

@@ -0,0 +1,4 @@
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+* @omec-project/5gc-maintainers

.github/dependabot.yml

@@ -19,3 +19,11 @@ updates:
       day: "wednesday"
       time: "21:00"
       timezone: "America/Los_Angeles"
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: "weekly"
+      day: "wednesday"
+      time: "21:00"
+      timezone: "America/Los_Angeles"

.github/workflows/main.yml

@@ -11,31 +11,82 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   doc8:
-    uses: omec-project/.github/.github/workflows/make-target-reuse.yml@main
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
+      id-token: write
+      attestations: write
+    uses: omec-project/.github/.github/workflows/make-target-reuse.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       branch_name: ${{ github.ref }}
       target: doc8
 
   spell-check:
-    uses: omec-project/.github/.github/workflows/make-target-reuse.yml@main
+    permissions:
+      contents: read
+      checks: write
+      id-token: write
+      attestations: write
+    uses: omec-project/.github/.github/workflows/make-target-reuse.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       branch_name: ${{ github.ref }}
       target: spelling
 
   link-check:
-    uses: omec-project/.github/.github/workflows/make-target-reuse.yml@main
+    permissions:
+      contents: read
+      checks: write
+      id-token: write
+      attestations: write
+    uses: omec-project/.github/.github/workflows/make-target-reuse.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       branch_name: ${{ github.ref }}
       target: linkcheck
 
   license-check:
-    uses: omec-project/.github/.github/workflows/license-check.yml@main
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+    uses: omec-project/.github/.github/workflows/license-check.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       branch_name: ${{ github.ref }}
 
   fossa-scan:
-    uses: omec-project/.github/.github/workflows/fossa-scan.yml@main
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+      attestations: write
+    uses: omec-project/.github/.github/workflows/fossa-scan.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
+    with:
+      branch_name: ${{ github.ref }}
+
+  analysis:
+    if: github.repository_owner == 'omec-project'
+    permissions:
+      actions: read
+      artifact-metadata: read
+      attestations: read
+      checks: read
+      contents: read
+      deployments: read
+      discussions: read
+      id-token: write
+      issues: read
+      models: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: write
+      statuses: read
+    uses: omec-project/.github/.github/workflows/scorecard-analysis.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       branch_name: ${{ github.ref }}

.github/workflows/push.yml

@@ -9,27 +9,47 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   validate:
-    uses: omec-project/.github/.github/workflows/validate.yml@main
+    permissions:
+      contents: write
+      actions: read
+      id-token: write
+    uses: omec-project/.github/.github/workflows/validate.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       branch_name: ${{ github.ref }}
 
   tag-github:
-    uses: omec-project/.github/.github/workflows/tag-github.yml@main
+    permissions:
+      contents: write
+      actions: read
+      id-token: write
+    uses: omec-project/.github/.github/workflows/tag-github.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     secrets: inherit
 
   update-version:
     needs: tag-github
-    uses: omec-project/.github/.github/workflows/update-version.yml@main
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: read
+      id-token: write
+    uses: omec-project/.github/.github/workflows/update-version.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       changed: ${{ needs.tag-github.outputs.changed }}
       version: ${{ needs.tag-github.outputs.version }}
     secrets: inherit
 
   publish:
     if: github.repository_owner == 'omec-project'
-    uses: omec-project/.github/.github/workflows/publish-docs.yml@main
+    permissions:
+      contents: write
+      actions: read
+      id-token: write
+    uses: omec-project/.github/.github/workflows/publish-docs.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     secrets: inherit
     with:
       branch_name: ${{ github.ref }}

.pre-commit-config.yaml

@@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.29.0
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/golangci/golangci-lint
+  rev: v2.6.1
+  hooks:
+  - id: golangci-lint
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v6.0.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace

docs/SECURITY.md

@@ -0,0 +1,41 @@
+<!--
+SPDX-FileCopyrightText: 2025 Intel Corporation
+SPDX-License-Identifier: Apache-2.0
+-->
+# Security Policy
+
+## Supported Versions
+
+We release patches for security vulnerabilities in the following versions:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, please:
+
+1. **DO NOT** create a public GitHub issue
+2. Email us at: [email protected]
+3. Include detailed information about the vulnerability
+4. Allow us reasonable time to address the issue before public disclosure
+
+### What to Include
+
+- Description of the vulnerability
+- Steps to reproduce the issue
+- Potential impact assessment
+- Any proof-of-concept code (if applicable)
+
+## Security Best Practices
+
+When using this project:
+- Keep dependencies up to date
+- Use the latest supported version
+- Follow secure coding practices
+- Regularly audit your implementation
+
+## Contact
+
+1. #sdcore-dev channel in [Aether Community Slack](https://aether5g-project.slack.com)