scorecard

[!IMPORTANT]
This is a v5 prerelease candidate. There may be more breaking changes before the official v5.0.0 release.

What's Changed

Structured Results

• ✨ allow probes to collect their own data from repo clients by @spencerschrock in https://github.com/ossf/scorecard/pull/4052

Check Enhancements and Bug Fixes

• Signed-Releases
  • 🐛 Fixed a Signed-Releases bug where more releases were being analyzed than intended. (#4060, @spencerschrock)
• Code-Review
  • 🐛 Fixed an issue where Phabricator reviews weren't being parsed properly. (#4086, @spencerschrock)

Breaking Changes

• ⚠️ errors in ErrXXX format by @cmwylie19 in https://github.com/ossf/scorecard/pull/4040
• ⚠️ Enables maintainers to write annotations for Scorecard checks and consumers to view these annotations in Scorecard UI. (experimental #3905, @gabibguti)

Docs

• 📖 Docs: update website by @raghavkaul in https://github.com/ossf/scorecard/pull/4041
• 📖 governance: Adopt Scorecard project charter by @justaugustus in https://github.com/ossf/scorecard/pull/4054

Other

• 🌱 Remove survey by @afmarcum in https://github.com/ossf/scorecard/pull/4077
• 🌱 Update Binary-Artifacts and License tests by @seelder in https://github.com/ossf/scorecard/pull/4079

New Contributors

• @cmwylie19 made their first contribution in https://github.com/ossf/scorecard/pull/4040
• @seelder made their first contribution in https://github.com/ossf/scorecard/pull/4079

Full Changelog: https://github.com/ossf/scorecard/compare/v5.0.0-rc1...v5.0.0-rc2

[!IMPORTANT]
This is a v5 prerelease candidate. There may be more breaking changes before the official v5.0.0 release.

What's Changed

Structured Results

We invite users to try out a preview of Structured Results, the main feature from this release candidate. For more details on the feature, please check out the first paragraph of our probes README as well as our blog post (coming next week).

At a high level, structured results involves breaking the existing 19 Scorecard Checks into individual heuristics so users can pick and choose which ones they care about. You can see a list of all supported probes by checking out the probes/ directory. To run individual probes, use the --probes CLI flag with a comma separated list of names. You must also specify the --format probe option to see the results. Please run scorecard --help if you need more details.

Example:

scorecard --repo github.com/ossf/scorecard --probes archived,fuzzed,hasLicenseFile --format probe

Check Enhancements and Bug Fixes

• Branch-Protection
  • ✨ Branch Protection check now also evaluates if the project requires PRs prior to make changes to the branch. This won't change anything for the users that already require reviews, but will enable score enhancement for those who can't require reviewers. (#3499, @diogoteles08)
• Dependency-Update-Tool
  • ✨ Dependency-Update-Tool now detects Renovate config files in a .gitlab folder. (#3823, @spencerschrock)
  • 🐛 Sonatype Lift is no longer recognized as a Dependency-Update-Tool because it is retired. (#3605, @spencerschrock)
  • 🐛 Dependency-Update-Tool: ignore search commit data for repo clients which dont support it by @spencerschrock in https://github.com/ossf/scorecard/pull/3756
• Fuzzing
  • ⚠️ Remove OneFuzz from fuzzing checks by @DavidKorczynski in https://github.com/ossf/scorecard/pull/3666
• Pinned-Dependencies
  • 🐛 Pinned-Dependencies now continues after encountering runtime errors (#3515, @pnacht)
  • 🐛 Scorecard no longer considers unpinned Dockerfiles in vendor and third_party directories. (#3675, @AdamKorcz)
  • 🐛 Files downloaded by Git SHA from GitHub and executed are no longer considered as not pinned by hash. (#3694, @martincostello)
  • 🐛 Shell commands in Dockerfile here-documents are now parsed correctly by the Pinned-Dependencies check (#3774, @jkreileder)
• Signed-Releases
  • 🐛 Fixed a bug which allowed some repos to score higher than 10 in the Signed-Releases check. (#3768, @spencerschrock)
  • ✨ Support .sigstore bundles to check for signed releases (#3772, @edgarrmondragon)
• Vulnerabilities
  • 🐛 Projects without dependencies or packages no longer throw an error for the Vulnerabilities check. (#3803, @spencerschrock)
  • 🐛 Go stdlib vulns are removed Vulnerabilities check output (#3925, @spencerschrock)

RepoClient Improvements

• GitHub

  • 🐛 Scorecard processes commit activity from large GitHub repos in chunks to avoid timeout issues (#3680, @spencerschrock)

• GitLab

  • 🐛 Fix scanning for GitLab private repositories. (#3596, @gabibguti)
  • ✨ Added --commit-depth support for GitLab repos (#3672, @ashearin)
  • 🐛 Parse Gitlab Status fields to align w/Github Status and Conclusion by @ashearin in https://github.com/ossf/scorecard/pull/3706
  • 🐛 Fix signed release error for empty gitlab repo by @naveensrinivasan in https://github.com/ossf/scorecard/pull/3753
  • 🐛 Scorecard no longer crashes on GitLab repos with no commits (#3731, @ashearin)
  • 🐛 Fixed a bug which prevented Scorecard from analyzing some self-hosted GitLab repos. (#3819, @spencerschrock)

• Local Directory

  • 🐛 ignore .git folder for localdir by @naveensrinivasan in https://github.com/ossf/scorecard/pull/3943

Other

• 🐛 Fix nils by @naveensrinivasan in https://github.com/ossf/scorecard/pull/3750
• ✨ Added logic to ensure check scores are between 0 and 10 (#3769, @spencerschrock)

Breaking Changes

• File access through RepoClient now returns an io.ReadCloser, instead of the full file contents. (#3912, @spencerschrock). This enabled fixing two bugs which affect very large repos.
  • 🐛 Limit Binary Artifact file reads to first 1024 bytes by @spencerschrock in https://github.com/ossf/scorecard/pull/3923
  • 🐛 Avoid reading every file searching for sonar configs by @spencerschrock in https://github.com/ossf/scorecard/pull/3929
• ⚠️ refactor: rename fields on Branch Protection Pull Request rules by @diogoteles08 in https://github.com/ossf/scorecard/pull/3879
• ⚠️ removerule.Remediation and switch users to probe.Remediation by @spencerschrock in https://github.com/ossf/scorecard/pull/3978

Docs

• 📖 fix typo by @AdamKorcz in https://github.com/ossf/scorecard/pull/3699
• 📖 Added beginner's guide to scorecard checks docs by @ariathaker in https://github.com/ossf/scorecard/pull/3617
• 📖 fixup transposition typos in remediation package copy by @daveworth in https://github.com/ossf/scorecard/pull/3734
• 📖 Update README with zoom meeting info by @leec94 in https://github.com/ossf/scorecard/pull/3739
• 📖 Clarify lack of 2FA check in README by @raghavkaul in https://github.com/ossf/scorecard/pull/3784
• 📖 Add documentation about probes and contributing by @AdamKorcz in https://github.com/ossf/scorecard/pull/3762
• 📖 Spelling by @jsoref in https://github.com/ossf/scorecard/pull/3804
• 📖 Update contributor ladder to reduce duration requirements by @afmarcum in https://github.com/ossf/scorecard/pull/3899
• 📖 Update slack image by @afmarcum in https://github.com/ossf/scorecard/pull/3906
• 📖 Document that .sigstore bundles are part of check for Signed-Releases (#3922, @cpswan)
• 📖 Add survey announcement to readme by @afmarcum in https://github.com/ossf/scorecard/pull/3942
• 📖 Review and update CONTRIBUTING.md by @spencerschrock in https://github.com/ossf/scorecard/pull/4002
• 📖 revert PAT scope change and document Go resources by @spencerschrock in https://github.com/ossf/scorecard/pull/4003

New Contributors

• @ashearin made their first contribution in https://github.com/ossf/scorecard/pull/3672
• @ariathaker made their first contribution in https://github.com/ossf/scorecard/pull/3617
• @daveworth made their first contribution in https://github.com/ossf/scorecard/pull/3734
• @edgarrmondragon made their first contribution in https://github.com/ossf/scorecard/pull/3772
• @manishtiwari25 made their first contribution in https://github.com/ossf/scorecard/pull/3732
• @jkreileder made their first contribution in https://github.com/ossf/scorecard/pull/3774
• @tuminoid made their first contribution in https://github.com/ossf/scorecard/pull/3783
• @lelia made their first contribution in https://github.com/ossf/scorecard/pull/3822
• @jsoref made their first contribution in https://github.com/ossf/scorecard/pull/3804
• @jitsengupta17 made their first contribution in https://github.com/ossf/scorecard/pull/3302
• @cpswan made their first contribution in https://github.com/ossf/scorecard/pull/3922
• @adamdmharvey made their first contribution in https://github.com/ossf/scorecard/pull/3972
• @fhoeborn made their first contribution in https://github.com/ossf/scorecard/pull/3838

Full Changelog: https://github.com/ossf/scorecard/compare/v4.13.1...v5.0.0-rc1

What's Changed

New

• Fuzzing

  • ✨ Adds fuzzing probes for C, CPP, Python, Rust and Java by @DavidKorczynski in https://github.com/ossf/scorecard/pull/3473
  • ✨ Add support for fast-check test runners integrations by @sheerlox in https://github.com/ossf/scorecard/pull/3568

• Weekly Public Data Cron

  • 🌱 Adding all Intel public GitHub repos by @ware in https://github.com/ossf/scorecard/pull/3556

Bug Fixes

• SAST
  • 🐛 Fix usage of GitHub CodeQL not being detected correctly by @martincostello in https://github.com/ossf/scorecard/pull/3591

Docs

• 📖 fix "default" typo by @testwill in https://github.com/ossf/scorecard/pull/3543

New Contributors

• @testwill made their first contribution in https://github.com/ossf/scorecard/pull/3543
• @ware made their first contribution in https://github.com/ossf/scorecard/pull/3556
• @sheerlox made their first contribution in https://github.com/ossf/scorecard/pull/3568

Full Changelog: https://github.com/ossf/scorecard/compare/v4.13.0...v4.13.1

What's Changed

New

• Binary Artifacts:

  • ✨ The Binary-Artifacts check supports local repos again by @spencerschrock in https://github.com/ossf/scorecard/pull/3415
  • ✨ Check for static archives in Binary Artifacts by @DavidKorczynski in https://github.com/ossf/scorecard/pull/3454

• Branch Protection:

  • ✨ Branch protection now considers repository rulesets by @thepwagner in https://github.com/ossf/scorecard/pull/3354
  • ✨ Move "EnforcesAdmins" to tier 5 Branch-Protection by @spencerschrock in https://github.com/ossf/scorecard/pull/3502

• Pinned-Dependencies:

  • ✨ Only score detected ecosystems by @gabibguti in https://github.com/ossf/scorecard/pull/3436

• Permissions:

  • ✨ broaden job matcher for semantic release by @secustor in https://github.com/ossf/scorecard/pull/3506

• CLI:

  • ✨ Increase PyPI parsing flexibility for --pypi flag by @joshgc in https://github.com/ossf/scorecard/pull/3423
  • ✨ Add --output argument to write results to file by @gabibguti in https://github.com/ossf/scorecard/pull/3482

Bug Fixes

• License:
  • 🐛 Fixed situations where the Licenses folder wasn't being detected. by @spencerschrock in https://github.com/ossf/scorecard/pull/3412
  • 🐛 Licenses: Get License SPDXId from GitLab API by @raghavkaul in https://github.com/ossf/scorecard/pull/3413
  • 🐛 License: npe by @raghavkaul in https://github.com/ossf/scorecard/pull/3500
• Security Policy:
  • 🐛 The Security-Policy check will no longer print to the log if the org's .github repo is empty by @spencerschrock in https://github.com/ossf/scorecard/pull/3433
• Pinned-Dependencies:
  • 🐛 Add go installs to Pinned-Dependencies score by @gabibguti in https://github.com/ossf/scorecard/pull/3424
• Fuzzing:
  • 🐛 GitLab: Fix URI() used for OSS-Fuzz detection by @raghavkaul in https://github.com/ossf/scorecard/pull/3477
  • 🐛 Fix parsing OSSFuzz project repos with subfolders and capitalization. by @spencerschrock in https://github.com/ossf/scorecard/pull/3364
• Misc:
  • 🐛 Print Info in Empty Repo Scans by @leec94 in https://github.com/ossf/scorecard/pull/3426
  • 🐛 Set repo commit SHA in results after fetching successfully. by @spencerschrock in https://github.com/ossf/scorecard/pull/3514
  • 🐛 Fix loop aliasing errors. by @spencerschrock in https://github.com/ossf/scorecard/pull/3414

Docs

• 📖 Added CDLA data license for the API to the README by @david-a-wheeler in https://github.com/ossf/scorecard/pull/3404
• 📖 Update bestpractices links by @fredgan in https://github.com/ossf/scorecard/pull/3448
• 📖 Add webviewer link by @olivekl in https://github.com/ossf/scorecard/pull/3490
• 📖 Add gitlab links to viewer example by @olivekl in https://github.com/ossf/scorecard/pull/3494
• 📖 Update docs for Signed-Releases check by @raghavkaul in https://github.com/ossf/scorecard/pull/3469
• 📖 Fix documentation typos by @omahs in https://github.com/ossf/scorecard/pull/3505

New Contributors

• @joshgc made their first contribution in https://github.com/ossf/scorecard/pull/3423
• @AdamKorcz made their first contribution in https://github.com/ossf/scorecard/pull/3449
• @DavidKorczynski made their first contribution in https://github.com/ossf/scorecard/pull/3454
• @afmarcum made their first contribution in https://github.com/ossf/scorecard/pull/3455
• @fredgan made their first contribution in https://github.com/ossf/scorecard/pull/3448
• @omahs made their first contribution in https://github.com/ossf/scorecard/pull/3505
• @secustor made their first contribution in https://github.com/ossf/scorecard/pull/3506

Full Changelog: https://github.com/ossf/scorecard/compare/v4.12.0...v4.13.0

This version of Scorecard supports GitLab repos by default.

This release also adds preliminary support for the scdiff command which can be used to compare changes in Scorecard scores for a repository between versions of Scorecard, as well as probe support for the Security-Policy check.

Finally, this release fixes scoring issues in the Branch-Protection and Pinned-Dependencies checks.

What's Changed

WIP

• ✨ GitLab: Release by @raghavkaul in #3340
• ✨ [experimental] Probe support for security policy check by @laurentsimon in #3241

Bug Fixes

• 🐛 Fix Branch-Protection scoring by @gabibguti in #3251
• 🐛 Forgive job-level permissions by @pnacht in #3162
• 🐛 Add npm installs to Pinned-Dependencies score by @gabibguti in #2960

Docs

• 📖 Add release process by @spencerschrock in #3322
• 📖 Update GitHub documentation links by @martincostello in #3318
• 📖 Fixed slack badge on README by @eddie-knight in #3311
• 📖 update docs for webhooks documentation by @leec94 in #3299
• 📖 Add contributor ladder by @pnacht in #3246
• 📖 Suggest new score viewer on badge documentation by @diogoteles08 in #3268
• 📖 Update Branch-Protection admin and non-admin requirements by @gabibguti, @pnacht in #2772

New Contributors

• @ajmalab made their first contribution in https://github.com/ossf/scorecard/pull/3248
• @eustas made their first contribution in https://github.com/ossf/scorecard/pull/3267
• @martincostello made their first contribution in https://github.com/ossf/scorecard/pull/3318
• @thepwagner made their first contribution in https://github.com/ossf/scorecard/pull/3327
• @aaguiarz made their first contribution in https://github.com/ossf/scorecard/pull/3337

Full Changelog: https://github.com/ossf/scorecard/compare/v4.11.0...v4.12.0

What's Changed

New

• ✨ Consider haskell-actions/hlint-scan a code scanning action by @chungyc in https://github.com/ossf/scorecard/pull/2846
• ✨ Detect fuzzing in Haskell by the presence of property tests. by @chungyc in https://github.com/ossf/scorecard/pull/2843
• ✨ The SAST check will look for workflows with the "github/codeql-action/analyze" action locally instead of the GitHub Search API endpoint by @spencerschrock in https://github.com/ossf/scorecard/pull/2839
• ✨ Scorecard checks for unpinned dependencies that are retrieved ad-hoc using nuget and dotnet CLIs ("nuget install" and "dotnet add") by @balteravishay in https://github.com/ossf/scorecard/pull/2779
• ✨ show non-compliant code changes for CI-Tests, Code-Review and SAST checks in --show-details mode by @ashishkurmi in https://github.com/ossf/scorecard/pull/2835
• ✨ Detect semantic-release as a packaging workflow by @travi in https://github.com/ossf/scorecard/pull/2964
• ✨ Detect semantic-release as a releasing workflow by @travi in https://github.com/ossf/scorecard/pull/2989
• ✨ Add support for github GHES by @patelniketm in https://github.com/ossf/scorecard/pull/2999 and @rajbos in https://github.com/ossf/scorecard/pull/2788
• ✨ Detect fast-check PBT library for JavaScript Fuzzing by @dubzzz in https://github.com/ossf/scorecard/pull/3073
• ✨ Run Scorecard on packages hosted at Nuget.org using --nuget=<package>by @balteravishay in https://github.com/ossf/scorecard/pull/3020

Bug Fixes

• SAST
  • 🐛 Reset stored error when handler is re-inited or setup is re-run. by @spencerschrock in https://github.com/ossf/scorecard/pull/2893
  • 🐛 Add nil check before accessing a step's uses value. by @spencerschrock in https://github.com/ossf/scorecard/pull/2935
• Vulnerabilities
  • 🐛 Give inconclusive Vulnerabilities score when osv-scanner panics by @spencerschrock in https://github.com/ossf/scorecard/pull/2896
  • 🐛 Update osv-scanner dependency to include Vulnerabilities check fixes by @laurentS in https://github.com/ossf/scorecard/pull/2981
• Pinned-Dependencies
  • 🐛 Pip installs count for Pinned-Dependencies score by @gabibguti in https://github.com/ossf/scorecard/pull/2922
• Code-Review
  • 🐛 Code Review: Use proportional scoring by @raghavkaul in https://github.com/ossf/scorecard/pull/2882

Deprecations

• 🌱 Deprecate dependencydiff package by @naveensrinivasan in https://github.com/ossf/scorecard/pull/3125

GitLab support (WIP)

• ✨ GitLab: Documentation and cleaner errors by @raghavkaul in https://github.com/ossf/scorecard/pull/2821
• ✨ Gitlab: CI-Tests check by @raghavkaul in https://github.com/ossf/scorecard/pull/2833
• ✨ Gitlab: Maintained check by @raghavkaul in https://github.com/ossf/scorecard/pull/2860
• ✨ Enable gitlab Packaging Reporting by @jimrobison in https://github.com/ossf/scorecard/pull/2941
• ✨ GitLab: Code Review check by @raghavkaul in https://github.com/ossf/scorecard/pull/2764
• ✨ Gitlab: License check by @raghavkaul in https://github.com/ossf/scorecard/pull/2834
• 🐛 Gitlab: Commit/Commitor Exceptions by @jimrobison in https://github.com/ossf/scorecard/pull/3026
• 🐛 Gitlab: test fixes by @raghavkaul in https://github.com/ossf/scorecard/pull/3027
• ✨ Gitlab: Add projects to cron by @raghavkaul in https://github.com/ossf/scorecard/pull/2936
• 🐛 GitLab cron: rename by @raghavkaul in https://github.com/ossf/scorecard/pull/3070
• 🐛 Gitlab status updates by @jimrobison in https://github.com/ossf/scorecard/pull/3052
• ✨ GitLab: enable more checks in cron by @raghavkaul in https://github.com/ossf/scorecard/pull/3097
• ✨ GitLab: Add 5000 repos to nightly worker run by @raghavkaul in https://github.com/ossf/scorecard/pull/3137

Docs

• 📖 Update usage message of the scorecard --verbosity flag by @andrelmbackman in https://github.com/ossf/scorecard/pull/3190
• 📖 Update checks.md to show the benefit of >=2 reviewers by @joycebrum in https://github.com/ossf/scorecard/pull/3013
• 📖 Add new frequently asked question to FAQ by @joycebrum in https://github.com/ossf/scorecard/pull/2923
• 📖 Adds zoom link and agenda link by @hythloda in https://github.com/ossf/scorecard/pull/3050
• 📖 Tweak Best Practices badge description to clarify things by @david-a-wheeler in https://github.com/ossf/scorecard/pull/2907
• 📖 Clarify that AI/ML doesn't count as human code review by @david-a-wheeler in https://github.com/ossf/scorecard/pull/2953
• 📖 Change Facilitators to Maintainers by @jeffmendoza in https://github.com/ossf/scorecard/pull/3039
• 📖 Make all StepSecurity app endpoint references consistent by @ashishkurmi in https://github.com/ossf/scorecard/pull/3042
• 📖 Fix broken links in FAQ. by @chungyc in https://github.com/ossf/scorecard/pull/2858
• 📖 Capitalize proper nouns like Dependabot, Renovate, and GitHub by @leec94 in https://github.com/ossf/scorecard/pull/2962
• 📖 Fix anchor link to the code review section by @dasfreak in https://github.com/ossf/scorecard/pull/3058

New Contributors

• @chungyc made their first contribution in https://github.com/ossf/scorecard/pull/2846
• @ashishkurmi made their first contribution in https://github.com/ossf/scorecard/pull/2835
• @leec94 made their first contribution in https://github.com/ossf/scorecard/pull/2962
• @jimrobison made their first contribution in https://github.com/ossf/scorecard/pull/2941
• @travi made their first contribution in https://github.com/ossf/scorecard/pull/2964
• @laurentS made their first contribution in https://github.com/ossf/scorecard/pull/2981
• @patelniketm made their first contribution in https://github.com/ossf/scorecard/pull/2999
• @rajbos made their first contribution in https://github.com/ossf/scorecard/pull/2788
• @hythloda made their first contribution in https://github.com/ossf/scorecard/pull/3050
• @dasfreak made their first contribution in https://github.com/ossf/scorecard/pull/3058
• @dubzzz made their first contribution in https://github.com/ossf/scorecard/pull/3073
• @andrelmbackman made their first contribution in https://github.com/ossf/scorecard/pull/3190

Full Changelog: https://github.com/ossf/scorecard/compare/v4.10.5...v4.11.0

What's Changed

Bug fixes

• 🐛 Remove unnecessary Printf by @lucacome in https://github.com/ossf/scorecard/pull/2557

New Contributors

• @lucacome made their first contribution in https://github.com/ossf/scorecard/pull/2557

Full Changelog: https://github.com/ossf/scorecard/compare/v4.10.1...v4.10.2

What's Changed

Check improvements

• ✨ Removed job-level permissions check for actions and packages by @eddie-knight in https://github.com/ossf/scorecard/pull/2367
• ✨ Add Sonatype Lift as a dependency update tool, doc upgrade by @theresa-m in https://github.com/ossf/scorecard/pull/2328
• ⚠️ OSV scanner integration by @another-rex in https://github.com/ossf/scorecard/pull/2509

Cron improvements

• 🌱 Add soft mem limit to controller k8s spec by @spencerschrock in https://github.com/ossf/scorecard/pull/2362
• 🌱 cron: generalize and expose worker (6/n) by @spencerschrock in https://github.com/ossf/scorecard/pull/2317
• 🐛 Fix typo which prevented cron metadata from going to BigQuery dataset by @spencerschrock in https://github.com/ossf/scorecard/pull/2370
• 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents by @calebbrown in https://github.com/ossf/scorecard/pull/2454

CLI

• ✨ Commit depth feature by @latortuga71 in https://github.com/ossf/scorecard/pull/2407

Documentation

• 📖 Use scorecard (singular) consistently by @lehors in https://github.com/ossf/scorecard/pull/2428
• 📖 Use new project name in Copyright notices by @lehors in https://github.com/ossf/scorecard/pull/2505
• 📖 Fix copyright notices by @lehors in https://github.com/ossf/scorecard/pull/2514
• 📖 Mention 2FA relevance although not checked by Scorecard by @joycebrum in https://github.com/ossf/scorecard/pull/2528
• 📖 Clarify CII-Best-Practices score for each badge by @hugovk in https://github.com/ossf/scorecard/pull/2313

BinAuthZ support (WIP)

• ✨ CLI for scorecard-attestor by @raghavkaul in https://github.com/ossf/scorecard/pull/2309
• 🌱 Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor by @raghavkaul in
• 🌱 attestor: Dockerize + small improvements for Cloud Build usage by @raghavkaul in https://github.com/ossf/scorecard/pull/2456
• 🌱 attestor: e2e tests by @raghavkaul in https://github.com/ossf/scorecard/pull/2529

GitLab support (WIP)

• ✨ Gitlab support by @N8BWert https://github.com/ossf/scorecard/pull/2265

New Contributors

• @theresa-m made their first contribution in https://github.com/ossf/scorecard/pull/2328
• @dvbnrg made their first contribution in https://github.com/ossf/scorecard/pull/2366
• @hugovk made their first contribution in https://github.com/ossf/scorecard/pull/2313
• @gabibguti made their first contribution in https://github.com/ossf/scorecard/pull/2384
• @shissam made their first contribution in https://github.com/ossf/scorecard/pull/2195
• @favonia made their first contribution in https://github.com/ossf/scorecard/pull/2447
• @latortuga71 made their first contribution in https://github.com/ossf/scorecard/pull/2407
• @balhar-jakub made their first contribution in https://github.com/ossf/scorecard/pull/2488
• @another-rex made their first contribution in https://github.com/ossf/scorecard/pull/2509

Full Changelog: https://github.com/ossf/scorecard/compare/v4.8.0...v4.10.0

What's Changed

Check improvements

• ✨ Removed job-level permissions check for actions and packages by @eddie-knight in https://github.com/ossf/scorecard/pull/2367
• ✨ Add Sonatype Lift as a dependency update tool, doc upgrade by @theresa-m in https://github.com/ossf/scorecard/pull/2328
• ⚠️ OSV scanner integration by @another-rex in https://github.com/ossf/scorecard/pull/2509

Cron improvements

• 🌱 Add soft mem limit to controller k8s spec by @spencerschrock in https://github.com/ossf/scorecard/pull/2362
• 🌱 cron: generalize and expose worker (6/n) by @spencerschrock in https://github.com/ossf/scorecard/pull/2317
• 🐛 Fix typo which prevented cron metadata from going to BigQuery dataset by @spencerschrock in https://github.com/ossf/scorecard/pull/2370
• 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents by @calebbrown in https://github.com/ossf/scorecard/pull/2454

CLI

• ✨ Commit depth feature by @latortuga71 in https://github.com/ossf/scorecard/pull/2407

Documentation

• 📖 Use scorecard (singular) consistently by @lehors in https://github.com/ossf/scorecard/pull/2428
• 📖 Use new project name in Copyright notices by @lehors in https://github.com/ossf/scorecard/pull/2505
• 📖 Fix copyright notices by @lehors in https://github.com/ossf/scorecard/pull/2514
• 📖 Mention 2FA relevance although not checked by Scorecard by @joycebrum in https://github.com/ossf/scorecard/pull/2528
• 📖 Clarify CII-Best-Practices score for each badge by @hugovk in https://github.com/ossf/scorecard/pull/2313

BinAuthZ support (WIP)

• ✨ CLI for scorecard-attestor by @raghavkaul in https://github.com/ossf/scorecard/pull/2309
• 🌱 Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor by @raghavkaul in
• 🌱 attestor: Dockerize + small improvements for Cloud Build usage by @raghavkaul in https://github.com/ossf/scorecard/pull/2456
• 🌱 attestor: e2e tests by @raghavkaul in https://github.com/ossf/scorecard/pull/2529

GitLab support (WIP)

• ✨ Gitlab support by @N8BWert https://github.com/ossf/scorecard/pull/2265

New Contributors

• @theresa-m made their first contribution in https://github.com/ossf/scorecard/pull/2328
• @dvbnrg made their first contribution in https://github.com/ossf/scorecard/pull/2366
• @hugovk made their first contribution in https://github.com/ossf/scorecard/pull/2313
• @gabibguti made their first contribution in https://github.com/ossf/scorecard/pull/2384
• @shissam made their first contribution in https://github.com/ossf/scorecard/pull/2195
• @favonia made their first contribution in https://github.com/ossf/scorecard/pull/2447
• @latortuga71 made their first contribution in https://github.com/ossf/scorecard/pull/2407
• @balhar-jakub made their first contribution in https://github.com/ossf/scorecard/pull/2488
• @another-rex made their first contribution in https://github.com/ossf/scorecard/pull/2509

Full Changelog: https://github.com/ossf/scorecard/compare/v4.8.0...v4.9.0

What's Changed

• ✨ Enhancement: adding new entries for GH actions & Pub as ecosystems, typo fixes by @aidenwang9867 in https://github.com/ossf/scorecard/pull/2109
• feat: Add pom.xml support for sonarype SAST by @laurentsimon in https://github.com/ossf/scorecard/pull/2114
• ✨ Enhancement: Dependency-diff API optimization - changing the input param changeType from a map to an array by @aidenwang9867 in https://github.com/ossf/scorecard/pull/2111
• 🌱 Bump gocloud.dev from 0.25.0 to 0.26.0 by @dependabot in https://github.com/ossf/scorecard/pull/2121
• 🌱 Bump nick-invision/retry from 2.6.0 to 2.8.0 by @dependabot in https://github.com/ossf/scorecard/pull/2122
• 📖 Include an example query for the public BigQuery dataset by @spencerschrock in https://github.com/ossf/scorecard/pull/2123
• 🌱 Bump actions/cache from 3.0.5 to 3.0.6 by @dependabot in https://github.com/ossf/scorecard/pull/2127
• 🌱 Bump cloud.google.com/go/bigquery from 1.36.0 to 1.37.0 by @dependabot in https://github.com/ossf/scorecard/pull/2126
• 🌱 Bump nick-invision/retry from 2.8.0 to 2.8.1 by @dependabot in https://github.com/ossf/scorecard/pull/2130
• 🌱 github actions cleanup and set to get the latest go available by @cpanato in https://github.com/ossf/scorecard/pull/2135
• 🌱 Limit access to registered checks by @spencerschrock in https://github.com/ossf/scorecard/pull/2134
• ✨ support for SLSA provenance in Signed-Release by @laurentsimon in https://github.com/ossf/scorecard/pull/2131
• ✨ Feature: Improve Dependabot detection through PRs by @qequ in https://github.com/ossf/scorecard/pull/2125
• ✨ Support OneFuzz in fuzzing checks by @balteravishay in https://github.com/ossf/scorecard/pull/2141
• 🐛 Fix bug 2051 by @varunsh-coder in https://github.com/ossf/scorecard/pull/2140
• 🌱 Bump actions/cache from 3.0.6 to 3.0.7 by @dependabot in https://github.com/ossf/scorecard/pull/2139
• ✨ Favor SLSA provenance over plain signature in Signed-Release by @laurentsimon in https://github.com/ossf/scorecard/pull/2144
• 🌱 Bump step-security/harden-runner from 1.4.4 to 1.4.5 by @dependabot in https://github.com/ossf/scorecard/pull/2148
• ✨ Scorecard returns a non-zero exit code if any check has a runtime error by @spencerschrock in https://github.com/ossf/scorecard/pull/2133
• 🌱 Bump cloud.google.com/go/bigquery from 1.37.0 to 1.38.0 by @dependabot in https://github.com/ossf/scorecard/pull/2149
• 🐛 Add scorecard-action to the security-events allowlist in Token Permissions check by @spencerschrock in https://github.com/ossf/scorecard/pull/2153
• 🐛 Remove duplicate projects with different casings by @azeemshaikh38 in https://github.com/ossf/scorecard/pull/2155
• 🐛 Detect recently created Github repositories by @raghavkaul in https://github.com/ossf/scorecard/pull/2151
• ✨ Unflag the --commit option by @azeemshaikh38 in https://github.com/ossf/scorecard/pull/2156
• Use generic generator for SLSA by @laurentsimon in https://github.com/ossf/scorecard/pull/2146
• 🌱 Upgrade to go 1.18 by @naveensrinivasan in https://github.com/ossf/scorecard/pull/2143
• 🌱 Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 by @dependabot in https://github.com/ossf/scorecard/pull/2167
• 🐛 Fix remediation text when Scorecard is run multiple times within a program by @spencerschrock in https://github.com/ossf/scorecard/pull/2168
• 🌱 Update scorecard-action to v2:alpha by @azeemshaikh38 in https://github.com/ossf/scorecard/pull/2171
• ✨ Use sha256 for release hashes by @laurentsimon in https://github.com/ossf/scorecard/pull/2172

New Contributors

• @qequ made their first contribution in https://github.com/ossf/scorecard/pull/2125
• @balteravishay made their first contribution in https://github.com/ossf/scorecard/pull/2141

Full Changelog: https://github.com/ossf/scorecard/compare/v4.5.0...v4.6.0

What's Changed

• 🌱 Bump github.com/caarlos0/env/v6 from 6.9.2 to 6.9.3 by @dependabot in https://github.com/ossf/scorecard/pull/1973
• 🌱 Bump actions/cache from 3.0.2 to 3.0.3 by @dependabot in https://github.com/ossf/scorecard/pull/1974
• 🌱 Signing scorecard images using cosign by @naveensrinivasan in https://github.com/ossf/scorecard/pull/1970
• 🌱 Included Stargazers over time by @naveensrinivasan in https://github.com/ossf/scorecard/pull/1971
• 🌱 Replace clients.Contributor with clients.User by @azeemshaikh38 in https://github.com/ossf/scorecard/pull/1957
• ✨ Raw results for Packaging check by @laurentsimon in https://github.com/ossf/scorecard/pull/1913
• ✨ Silence scorecard warning by @laurentsimon in https://github.com/ossf/scorecard/pull/1977
• ✨ Raw results for Pinned-Dependencies by @laurentsimon in https://github.com/ossf/scorecard/pull/1932
• 📖 Fix cron related documentation by @lehors in https://github.com/ossf/scorecard/pull/1986
• ✨ SLSA provenance/build by @laurentsimon in https://github.com/ossf/scorecard/pull/1702
• ✨ Support user-defined fuzz functions (GoLang) in fuzzing check by @aidenwang9867 in https://github.com/ossf/scorecard/pull/1979
• ✨ Add Language struct and optimize result parsing for GHClient.ListProgrammingLanguages by @aidenwang9867 in https://github.com/ossf/scorecard/pull/1992

Full Changelog: https://github.com/ossf/scorecard/compare/v4.3.1...v4.4.0

What's Changed

Fix https://github.com/ossf/scorecard-action/issues/323 via https://github.com/ossf/scorecard/pull/1947

New Contributors

• @aidenwang9867 made their first contribution in https://github.com/ossf/scorecard/pull/1939

Full Changelog: https://github.com/ossf/scorecard/compare/v4.3.0...v4.3.1

Includes a patch to fix scorecard version in Scorecard Docker image and some documentation changes.

What's Changed

• 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 from 2.0.3 to 2.0.4 by @dependabot in https://github.com/ossf/scorecard/pull/1475
• 🌱 Bump ossf/scorecard-action from 0.0.2 to 1.0.0 by @dependabot in https://github.com/ossf/scorecard/pull/1478
• 🐛 Fix scorecard version in Scorecard Docker images by @azeemshaikh38 in https://github.com/ossf/scorecard/pull/1480
• 📖 Olivekl v4 doc updates by @olivekl in https://github.com/ossf/scorecard/pull/1481

Full Changelog: https://github.com/ossf/scorecard/compare/v4.0.0...v4.0.1

Description

This release of Scorecard provides bug fixes, enhancements and new features and many other changes. The project remains available via a docker image.

Release Notes

New code features and enhancements

• A new Scorecard GitHub Action
• New checks: License and Dangerous-Workflow
• Improved scoring system for complex checks like Branch-Protection, Token-Permissions
• Improved Fuzzing check to support ClusterFuzzLite
• Added support for new SAST tools like LGTM and SonarCloud in SAST check
• Support for local code repository (using --local option)
• Improved parsing of GitHub workflows
• Improved test coverage
• Scaled weekly cron job repos to analyze ~1M projects

Scaling

• Weekly scans for ~1M GitHub repos with critical ecosystems dependencies from deps.dev.
• Weekly scan results are available in a BigQuery table in the JSON format.

LTS

• Complying with the v3 release announcement, the format of the weekly scans remains unchanged and will be available at least until the end of 2022.

Contributors

Huge thanks to all community contributors

@laurentsimon, @naveensrinivasan, @chrismcgehee, @azeemshaikh38, @asraa, @olivekl, @evverx, @developer-guy, @oliverchang, @varunsh-coder, @david-a-wheeler, @imjasonh, @nanikjava, @JamieMagee, @lehors, @r0mdau, @cpanato, @dota17, @Juneezee,

New Contributors

• @varunsh-coder made their first contribution in https://github.com/ossf/scorecard/pull/1326
• @dota17 made their first contribution in https://github.com/ossf/scorecard/pull/1341
• @lehors made their first contribution in https://github.com/ossf/scorecard/pull/1312
• @JamieMagee made their first contribution in https://github.com/ossf/scorecard/pull/1378
• @imjasonh made their first contribution in https://github.com/ossf/scorecard/pull/1392

Mailing lists

• Stay updated with new releases and other announcements by joining [email protected].
• Ask questions, get access to design docs, etc. by joining [email protected].

Full Changelog: https://github.com/ossf/scorecard/compare/v3.0.0...v4.0.0

What's Changed

• 🌱 v3 upgrade changes by @naveensrinivasan in https://github.com/ossf/scorecard/pull/1118

Full Changelog: https://github.com/ossf/scorecard/compare/v3.0.0...v3.0.1

Description

This release of Scorecard provides bug fixes, enhancements and new features, including many changes that are not compatible with earlier versions of Scorecard. The project remains available via a docker image.

Release Notes

API changes

We are experimenting with new APIs based on user feedback to improve clarity and usability. Please try them out and leave us feedback on the scorecard repository!

New code features and enhancements

• Numeric scoring and risk categories replace Pass/Fail.
• Aggregated score.
• Improved JSON output (--format json | jq).
• New repo interface to simplify the future integration of other code versioning systems besides GitHub.
• Use GitHub v4 (GraphQL) APIs instead of REST API to improve performance and efficiency.
• Improved documentation (checks and main README).

Removal

• Support for CSV format has been removed. Please use the JSON format to upgrade.

Scaling

• Weekly scans for 200k GitHub repos with critical ecosystems dependencies from deps.dev.
• Weekly scan results are available in a BigQuery table in the new JSON format.

LTS

• Weekly scans that output the older JSON format will continue until 31 March 2022.
• Weekly scans that output the new JSON format will be available at least until the end of 2022.

Huge thanks to all community contributors

@naveensrinivasan, @chrismcgehee, @nanikjava, @rsprabery, @slugclub, @nathan-415, @neil465, @notanton, @ben-moss, @evalphobia, @johanbrandhorst, @iamamoose, @david-a-wheeler, @olivekl, @asraa, @loosebazooka, @meder, @oliverchang, @azeemshaikh38, @laurentsimon

Mailing lists

• Stay updated with new releases and other announcements by joining [email protected].
• Ask questions, get access to design docs, etc. by joining [email protected].

Full Changelog

https://github.com/ossf/scorecard/compare/v2.0.0...v3.0.0

Initial open source release.