coder
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ci.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/scorecard.yml
Lines changed: 47 additions & 0 deletions b/‎.github/workflows/scorecard.yml
Lines changed: 47 additions & 0 deletions
diff --git a/‎.github/workflows/security.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/security.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/typos.toml
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/typos.toml
Lines changed: 1 addition & 0 deletions
diff --git a/‎.vscode/settings.json
Lines changed: 23 additions & 2 deletions b/‎.vscode/settings.json
Lines changed: 23 additions & 2 deletions
diff --git a/‎Makefile
Lines changed: 12 additions & 13 deletions b/‎Makefile
Lines changed: 12 additions & 13 deletions
diff --git a/‎README.md
Lines changed: 3 additions & 0 deletions b/‎README.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/insights_internal_test.go
Lines changed: 4 additions & 4 deletions b/‎coderd/insights_internal_test.go
Lines changed: 4 additions & 4 deletions
diff --git a/‎docs/CONTRIBUTING.md
Lines changed: 12 additions & 6 deletions b/‎docs/CONTRIBUTING.md
Lines changed: 12 additions & 6 deletions
@@ -186,7 +186,7 @@ jobs:
 
       # Check for any typos
       - name: Check for typos
-        uses: crate-ci/typos@v1.24.6
+        uses: crate-ci/typos@v1.26.0
         with:
           config: .github/workflows/typos.toml
 
 
@@ -0,0 +1,47 @@
+name: OpenSSF Scorecard
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: "27 7 * * 3" # A random time to run weekly
+  push:
+    branches: ["main"]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_results: true
+
+      # Upload the results as artifacts.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+        with:
+          sarif_file: results.sarif
@@ -114,7 +114,7 @@ jobs:
           echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
+        uses: aquasecurity/trivy-action@f781cce5aab226378ee181d764ab90ea0be3cdd8
         with:
           image-ref: ${{ steps.build.outputs.image }}
           format: sarif
 
@@ -22,6 +22,7 @@ pn = "pn"
 EDE = "EDE"
 # HELO is an SMTP command
 HELO = "HELO"
+LKE = "LKE"
 
 [files]
 extend-exclude = [
 
@@ -6,30 +6,37 @@
 		"ASKPASS",
 		"authcheck",
 		"autostop",
+		"autoupdate",
 		"awsidentity",
 		"bodyclose",
 		"buildinfo",
 		"buildname",
+		"Caddyfile",
 		"circbuf",
 		"cliflag",
 		"cliui",
 		"codecov",
+		"codercom",
 		"coderd",
 		"coderdenttest",
 		"coderdtest",
 		"codersdk",
 		"contravariance",
 		"cronstrue",
 		"databasefake",
+		"dbcrypt",
 		"dbgen",
 		"dbmem",
 		"dbtype",
 		"DERP",
 		"derphttp",
 		"derpmap",
+		"devcontainers",
 		"devel",
 		"devtunnel",
 		"dflags",
+		"dogfood",
+		"dotfiles",
 		"drpc",
 		"drpcconn",
 		"drpcmux",
@@ -38,18 +45,22 @@
 		"embeddedpostgres",
 		"enablements",
 		"enterprisemeta",
+		"Entra",
 		"errgroup",
 		"eventsourcemock",
 		"externalauth",
 		"Failf",
 		"fatih",
+		"filebrowser",
 		"Formik",
 		"gitauth",
+		"Gitea",
 		"gitsshkey",
 		"goarch",
 		"gographviz",
 		"goleak",
 		"gonet",
+		"googleclouddns",
 		"gossh",
 		"gsyslog",
 		"GTTY",
@@ -63,9 +74,11 @@
 		"initialisms",
 		"ipnstate",
 		"isatty",
+		"jetbrains",
 		"Jobf",
 		"Keygen",
 		"kirsle",
+		"knowledgebase",
 		"Kubernetes",
 		"ldflags",
 		"magicsock",
@@ -77,6 +90,7 @@
 		"namesgenerator",
 		"namespacing",
 		"netaddr",
+		"netcheck",
 		"netip",
 		"netmap",
 		"netns",
@@ -93,13 +107,16 @@
 		"opty",
 		"paralleltest",
 		"parameterscopeid",
+		"portsharing",
 		"pqtype",
 		"prometheusmetrics",
 		"promhttp",
 		"protobuf",
 		"provisionerd",
 		"provisionerdserver",
 		"provisionersdk",
+		"psql",
+		"ptrace",
 		"ptty",
 		"ptys",
 		"ptytest",
@@ -114,6 +131,7 @@
 		"Signup",
 		"slogtest",
 		"sourcemapped",
+		"speedtest",
 		"spinbutton",
 		"Srcs",
 		"stdbuf",
@@ -154,13 +172,15 @@
 		"turnconn",
 		"typegen",
 		"typesafe",
+		"unauthenticate",
 		"unconvert",
-		"Untar",
-		"Userspace",
+		"untar",
+		"userspace",
 		"VMID",
 		"walkthrough",
 		"weblinks",
 		"webrtc",
+		"websockets",
 		"wgcfg",
 		"wgconfig",
 		"wgengine",
@@ -172,6 +192,7 @@
 		"workspaceapps",
 		"workspacebuilds",
 		"workspacename",
+		"workspaceproxies",
 		"wsjson",
 		"xerrors",
 		"xlarge",
 
@@ -495,9 +495,9 @@ gen: \
 	coderd/rbac/object_gen.go \
 	codersdk/rbacresources_gen.go \
 	site/src/api/rbacresourcesGenerated.ts \
-	docs/admin/prometheus.md \
-	docs/reference/cli/README.md \
-	docs/admin/audit-logs.md \
+	docs/admin/integrations/prometheus.md \
+	docs/reference/cli/index.md \
+	docs/admin/security/audit-logs.md \
 	coderd/apidoc/swagger.json \
 	.prettierignore.include \
 	.prettierignore \
@@ -525,9 +525,9 @@ gen/mark-fresh:
 		coderd/rbac/object_gen.go \
 		codersdk/rbacresources_gen.go \
 		site/src/api/rbacresourcesGenerated.ts \
-		docs/admin/prometheus.md \
-		docs/reference/cli/README.md \
-		docs/admin/audit-logs.md \
+		docs/admin/integrations/prometheus.md \
+		docs/reference/cli/index.md \
+		docs/admin/security/audit-logs.md \
 		coderd/apidoc/swagger.json \
 		.prettierignore.include \
 		.prettierignore \
@@ -638,21 +638,20 @@ codersdk/rbacresources_gen.go: scripts/rbacgen/codersdk.gotmpl scripts/rbacgen/m
 site/src/api/rbacresourcesGenerated.ts: scripts/rbacgen/codersdk.gotmpl scripts/rbacgen/main.go coderd/rbac/object.go coderd/rbac/policy/policy.go
 	go run scripts/rbacgen/main.go typescript > "$@"
 
-
-docs/admin/prometheus.md: scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
+docs/admin/integrations/prometheus.md: scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
 	go run scripts/metricsdocgen/main.go
 	./scripts/pnpm_install.sh
-	pnpm exec prettier --write ./docs/admin/prometheus.md
+	pnpm exec prettier --write ./docs/admin/integrations/prometheus.md
 
-docs/reference/cli/README.md: scripts/clidocgen/main.go examples/examples.gen.json $(GO_SRC_FILES)
+docs/reference/cli/index.md: scripts/clidocgen/main.go examples/examples.gen.json $(GO_SRC_FILES)
 	CI=true BASE_PATH="." go run ./scripts/clidocgen
 	./scripts/pnpm_install.sh
-	pnpm exec prettier --write ./docs/reference/cli/README.md ./docs/reference/cli/*.md ./docs/manifest.json
+	pnpm exec prettier --write ./docs/reference/cli/index.md ./docs/reference/cli/*.md ./docs/manifest.json
 
-docs/admin/audit-logs.md: coderd/database/querier.go scripts/auditdocgen/main.go enterprise/audit/table.go coderd/rbac/object_gen.go
+docs/admin/security/audit-logs.md: coderd/database/querier.go scripts/auditdocgen/main.go enterprise/audit/table.go coderd/rbac/object_gen.go
 	go run scripts/auditdocgen/main.go
 	./scripts/pnpm_install.sh
-	pnpm exec prettier --write ./docs/admin/audit-logs.md
+	pnpm exec prettier --write ./docs/admin/security/audit-logs.md
 
 coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen $(FIND_EXCLUSIONS) -type f) $(wildcard coderd/*.go) $(wildcard enterprise/coderd/*.go) $(wildcard codersdk/*.go) $(wildcard enterprise/wsproxy/wsproxysdk/*.go) $(DB_GEN_FILES) .swaggo docs/manifest.json coderd/rbac/object_gen.go
 	./scripts/apidocgen/generate.sh
 
@@ -26,6 +26,8 @@
 [![release](https://img.shields.io/github/v/release/coder/coder)](https://github.com/coder/coder/releases/latest)
 [![godoc](https://pkg.go.dev/badge/github.com/coder/coder.svg)](https://pkg.go.dev/github.com/coder/coder)
 [![Go Report Card](https://goreportcard.com/badge/github.com/coder/coder/v2)](https://goreportcard.com/report/github.com/coder/coder/v2)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9511/badge)](https://www.bestpractices.dev/projects/9511)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/coder/coder/badge)](https://api.securityscorecards.dev/projects/github.com/coder/coder)
 [![license](https://img.shields.io/github/license/coder/coder)](./LICENSE)
 
 </div>
@@ -111,6 +113,7 @@ We are always working on new integrations. Please feel free to open an issue and
 - [**Module Registry**](https://registry.coder.com): Extend development environments with common use-cases
 - [**Kubernetes Log Stream**](https://github.com/coder/coder-logstream-kube): Stream Kubernetes Pod events to the Coder startup logs
 - [**Self-Hosted VS Code Extension Marketplace**](https://github.com/coder/code-marketplace): A private extension marketplace that works in restricted or airgapped networks integrating with [code-server](https://github.com/coder/code-server).
+- [**Setup Coder**](https://github.com/marketplace/actions/setup-coder): An action to setup coder CLI in GitHub workflows.
 
 ### Community
 
 
@@ -179,17 +179,17 @@ func Test_parseInsightsInterval_week(t *testing.T) {
 	t.Parallel()
 
 	layout := insightsTimeLayout
-	sydneyLoc, err := time.LoadLocation("Australia/Sydney") // Random location
+	losAngelesLoc, err := time.LoadLocation("America/Los_Angeles") // Random location
 	require.NoError(t, err)
 
-	now := time.Now().In(sydneyLoc)
+	now := time.Now().In(losAngelesLoc)
 	t.Logf("now: %s", now)
 
 	y, m, d := now.Date()
-	today := time.Date(y, m, d, 0, 0, 0, 0, sydneyLoc)
+	today := time.Date(y, m, d, 0, 0, 0, 0, losAngelesLoc)
 	t.Logf("today: %s", today)
 
-	thisHour := time.Date(y, m, d, now.Hour(), 0, 0, 0, sydneyLoc)
+	thisHour := time.Date(y, m, d, now.Hour(), 0, 0, 0, losAngelesLoc)
 	t.Logf("thisHour: %s", thisHour)
 	twoHoursAgo := thisHour.Add(-2 * time.Hour)
 	t.Logf("twoHoursAgo: %s", twoHoursAgo)
 
@@ -247,20 +247,23 @@ be applied selectively or to discourage anyone from contributing.
 
 ## Releases
 
-Coder releases are initiated via [`./scripts/release.sh`](../scripts/release.sh)
+Coder releases are initiated via
+[`./scripts/release.sh`](https://github.com/coder/coder/blob/main/scripts/release.sh)
 and automated via GitHub Actions. Specifically, the
-[`release.yaml`](../.github/workflows/release.yaml) workflow. They are created
-based on the current [`main`](https://github.com/coder/coder/tree/main) branch.
+[`release.yaml`](https://github.com/coder/coder/blob/main/.github/workflows/release.yaml)
+workflow. They are created based on the current
+[`main`](https://github.com/coder/coder/tree/main) branch.
 
 The release notes for a release are automatically generated from commit titles
 and metadata from PRs that are merged into `main`.
 
 ### Creating a release
 
 The creation of a release is initiated via
-[`./scripts/release.sh`](../scripts/release.sh). This script will show a preview
-of the release that will be created, and if you choose to continue, create and
-push the tag which will trigger the creation of the release via GitHub Actions.
+[`./scripts/release.sh`](https://github.com/coder/coder/blob/main/scripts/release.sh).
+This script will show a preview of the release that will be created, and if you
+choose to continue, create and push the tag which will trigger the creation of
+the release via GitHub Actions.
 
 See `./scripts/release.sh --help` for more information.
 
@@ -315,6 +318,9 @@ Breaking changes can be triggered in two ways:
 
 ### Security
 
+> If you find a vulnerability, **DO NOT FILE AN ISSUE**. Instead, send an email
+> to security@coder.com.
+
 The
 [`security`](https://github.com/coder/coder/issues?q=sort%3Aupdated-desc+label%3Asecurity)
 label can be added to PRs that have, or will be, merged into `main`. Doing so