ossf
Recursive GH workflow traversal
Is your feature request related to a problem? Please describe.
When looking up usages of something in GH workflow files, it would be nice to make the lookup recursively.
The concrete case I found this with is related to SAST: if a project makes use of CodeQL through a reusable workflow, it is not detected as being used even though the reusable workfile file does make use of codeql-action/analyze.
So if
- scorecard for project-A is being analyzed and
- it uses a reusable workflow from project-B, and
- only the reused workflow in project-B references a CodeQL action that is being checked by scorecard (i.e. there are no direct supported CodeQL references in project-A
- SAST is not being detected being used in project-A
Describe the solution you'd like
Recusrive lookup of GH workflow files where applicable.
Describe alternatives you've considered
N/A
Additional context
Example of a reusable workflow (project-B in the above example): https://github.com/scop/workflow-test/blob/b3c85913e61ccb0310580e0fc33a765157120839/.github/workflows/codeql-reusable.yaml
Example of a project making use of that workflow (project-A in the above example), and SAST not being detected on it: https://github.com/scop/workflow-test2/blob/fe499ac0f0c2dc000315f19a7ebfa7690f6ca912/.github/workflows/codeql.yaml
This issue has been marked stale because it has been open for 60 days with no activity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}