Changelog

• 6406cfd 🌱 Bump actions/setup-go from 3.0.0 to 3.1.0
• 236b296 Do not fail on empty repositories (#1914)
• b1ab7eb ✨ Update raw format for Dangerous workflows (#1865)
• cd04704 📖 Fixes description for webhook check (#1882)
• 0275a94 :warn: Remove the old Details field from CheckResult (#1906)
• b9f333b ⚠️ Remove the pass from the CheckResult
• f048164 🌱 Bump github.com/caarlos0/env/v6 from 6.9.1 to 6.9.2
• 74f521f 🌱 Bump mvdan.cc/sh/v3 from 3.4.3 to 3.5.0
• 2b35afc 🌱 Bump github.com/golangci/golangci-lint in /tools
• 0f30f4e ✨ Make permission check aware of GH Pages Action (#1902)
• 2fc6fbb 🌱 Bump cloud.google.com/go/bigquery from 1.31.0 to 1.32.0
• 804127f Upgrade to buildkit 0.10.3
• c5d787a pkg: refactor out scorecard_version
• 62e3de5 🐛 Remove Options that belong to the Action (#1898)
• 7ff4b7e ⚠️ Removing the confidence field from CheckResult struct (#1896)
• 6d79817 📖 Fix command Usage (#1814)
• 815de18 📖 Remove erroneous ref to CSV output (#1813)
• 5758364 Fix bug in Scorecard tag Docker image creation (#1890)
• 8c97d46 ✨ Add custom remediation for workflow permissions/pinned dependencies (#1885)
• 22694dc Support commits reviewed through Piper (#1889)
• 9a7d030 ✨ Added additional github repositories in projects.csv (#1886)
• 72086c9 ✨ Add support for Phabricator as a code review system (#1884)
• f779fb8 🌱 Bump cloud.google.com/go/pubsub from 1.21.0 to 1.21.1
• 74ea0f4 🐛 Fix .lib false positives in binary artifacts (#1879)
• 2cb6541 ⚠️ Removing the pass field from result (#1853)
• 875b6f6 🐛 Ignore shell parsing errors when reporting results (#1878)
• e97bf30 🌱 Bump step-security/harden-runner from 1.4.2 to 1.4.3
• 815de5c Propagate error in log (#1875)
• 2b68f38 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.3 to 2.1.4
• 3a9f011 🌱 Bump github.com/google/go-cmp from 0.5.7 to 0.5.8
• a598b2a 🌱 Bump cloud.google.com/go/pubsub from 1.20.0 to 1.21.0
• ac14ce7 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.3 to 2.1.4 in /tools
• 05d8c01 🐛 Don't look for secrets in pull_request (#1864)
• b304306 ✨ Add token needed for checks in README (#1854)
• ac88460 ✨ Raw results for best practices badge (#1795)
• fe6e091 ✨ Support for detecting choco installer without required hash (#1810)
• 5d8a277 🌱 Bump crazy-max/ghaction-import-gpg from 4.3.0 to 4.4.0
• dbaba8a 🌱 Bump step-security/harden-runner from 1.4.1 to 1.4.2

Thanks for all contributors!

Changelog

• 44ad5f5 ⚠️ Removing the error field from result (#1853)
• 1f3861b Update env variables in cron (#1858)
• ee1086e 🌱 Bump codecov/codecov-action from 3.0.0 to 3.1.0
• 64bf903 🌱 Bump actions/checkout from 3.0.1 to 3.0.2
• 4622952 ✨ Raw results for dangerous workflow (#1849)
• 72e2486 🌱 Bump contrib.go.opencensus.io/exporter/stackdriver
• 6ed6c9b 🌱 Publish images with ko
• f99e1a1 ✨ Schema for BQ table for raw results (#1762)
• 9532e55 🌱 Bump github.com/rhysd/actionlint from 1.6.11 to 1.6.12
• 6c59ff9 🌱 Bump actions/checkout from 3.0.0 to 3.0.1
• ebf0d10 🌱 Bump cloud.google.com/go/bigquery from 1.30.2 to 1.31.0
• 4d1c531 ✨ Raw results for license (#1790)
• c0e41f3 Update branches_e2e_test.go (#1838)
• 410a145 fix (#1837)
• b00b316 Split NewLogger into two so we can use a custom logrus instance.
• 9120285 Fix e2e branch (#1835)
• eedd16d linter
• 6a48f17 fix
• 4b2c677 fix
• 2873c0d e2e for GITHUB_TOKEN
• a46313c 🌱 Bump cloud.google.com/go/pubsub from 1.19.0 to 1.20.0
• fb0c0e1 🌱 Bump actions/cache from 3.0.1 to 3.0.2
• f9c2f9d 🌱 Dependency review action
• 333618d Security-Policy should not run on --local (#1825)
• 4df16f3 🌱 Bump codecov/codecov-action from 2.1.0 to 3
• b6575a2 🌱 Bump github.com/rhysd/actionlint from 1.6.10 to 1.6.11
• 8bc0fe5 🌱 Bump contrib.go.opencensus.io/exporter/stackdriver
• a1e908b Support Security-Policy with --local (#1822)
• 5860896 detect workflow_run as a dangerous trigger
• 606f28a 🌱 Bump sigs.k8s.io/release-utils from 0.5.0 to 0.6.0
• 8113336 🌱 e2e for pinned_dependencies for localrepoclient
• b6b5592 🌱 e2e for dangerous_workflow local repo
• 761bb4e 🌱 Fixes the golang version
• b42a175 🌱 Bump gocloud.dev from 0.24.0 to 0.25.0
• 648b663 🌱 Experimental option for codeql
• 27dbf9c ✨ Raw results for Signed-Release check (#1789)
• e8c633a 🌱 e2e tests for security policy localrepo
• e5f5deb 🌱 e2e tests for local repoclient for permissions
• ab9769a 🌱 Fix protoc build failures
• 99ecdea 🌱 Bump actions/cache from 3.0.0 to 3.0.1
• 7dcb3cb ✨ checks: add GitHub Webhook check (#1675)
• 93889a8 install missing tool in add-projects job
• f1268bf cleanup protoc version
• d10ac0d 🌱 Bump cloud.google.com/go/bigquery from 1.30.1 to 1.30.2
• 92027ed small cleanup on the workflow jobs and remove the master branch reference (#1800)
• 389078c 🌱 Bump cloud.google.com/go/bigquery from 1.30.0 to 1.30.1
• 4956483 🌱 Bump github.com/onsi/gomega from 1.18.1 to 1.19.0
• c428e31 🌱 Bump distroless/base in /cron/worker
• 6a078c6 Use GITHUB_TOKEN for downloading protoc (#1797)
• ce06ac1 🌱 Bump distroless/base in /cron/webhook (#1794)
• 0644b18 🌱 e2e for local repoclient license check
• cacc3e4 🌱 e2e tests binary artifacts localrepo
• 037a3f3 ✨ Raw result for Maintained check (#1780)
• 682e6ea Explicit permissions for github actions
• 007156b 🌱 Bump distroless/base in /cron/controller
• 10d46d5 🌱 Bump distroless/base from 792dfe7 to 764b74b
• d2e88f2 🌱 Bump github.com/golangci/golangci-lint in /tools
• 363d1bd Add comment to update action policy file (#1751)
• 8150ab0 ✨ Make Vuln ID field lower case in raw results (#1761)
• 2bbbce7 🐛 Discard GitHub token in dangerous workflow check (#1772)
• 66b3d8c 🌱 Bump github.com/golangci/golangci-lint from 1.44.2 to 1.45.0 in /tools (#1757)
• 10bd777 🌱 Bump peter-evans/find-comment from 1.3.0 to 2
• 0a82d2b 🌱 Bump google.golang.org/protobuf from 1.27.1 to 1.28.0
• aecff0b 🌱 Bump peter-evans/create-or-update-comment from 1.4.5 to 2
• c671bac 🌱 Bump peter-evans/slash-command-dispatch from 2.3.0 to 3
• 2863566 🌱 Bump actions/upload-artifact from 2.3.1 to 3
• a69fda7 🌱 Bump actions/cache from 2.1.7 to 3
• d51e004 🌱 Bump google.golang.org/protobuf in /tools
• 06efb4a ✨ Update BQ table name for raw results (#1759)
• 1094680 🐛 Fix schemas from https://github.com/ossf/scorecard/pull/1758 (#1760)
• ee623e5 Add schema for the raw JSON (#1758)
• 1c61acd Update main.yml
• 8fd286d Update stale.yml
• 76d3e10 🌱 Restrict egress on github actions
• 0c76ae3 🌱 Bump distroless/base in /cron/controller
• 64893b8 🌱 Bump step-security/harden-runner from 1.4.0 to 1.4.1
• b1ab16e ✨ Add raw results to cron scans (#1741)
• d5893c2 🌱 Bump distroless/base from 02f6671 to 792dfe7
• 9e9e5a9 🌱 Bump distroless/base in /cron/webhook
• 8f6df49 🌱 Bump github.com/go-logr/logr from 1.2.2 to 1.2.3
• 23921a6 🌱 Bump distroless/base in /cron/worker
• a496d8c 🌱 Bump cloud.google.com/go/bigquery from 1.29.0 to 1.30.0
• a3f4b05 Pass in specific commit-SHA in cron job (#1739)
• ba78d0a ✨ Unit test for CLI options
• dc302bd Enable CI-Tests to run as commit-based check
• c8acf36 🌱 .github: Audit CodeQL egress with harden-runner (#1728)
• c8af71c 🌱 Bump crazy-max/ghaction-import-gpg from 4.2.0 to 4.3.0
• 3f73d69 🌱 Bump github.com/rhysd/actionlint from 1.6.9 to 1.6.10
• 2df9d08 🌱 Bump github.com/goreleaser/goreleaser in /tools
• 7d17953 Fixed the path of the generated mock files.
• 1995bc3 🌱 Refactor to make it testable
• f2a132a 🌱 Bump github.com/spf13/cobra from 1.3.0 to 1.4.0
• e303a1b 🌱 Ignore mock clients for code coverage
• 35d3156 🌱 Unit tests for pinned_dependencies
• c10a6ae Update README.md (#1716)
• eb25816 🌱 Bump cloud.google.com/go/pubsub from 1.18.0 to 1.19.0
• e128c3d allow empty committer (#1714)
• c1761a8 Only download repo tarball when necessary
• 0268747 🌱 Bump github.com/goreleaser/goreleaser in /tools
• 4b9f038 🌱 Fix for CVE-2022-23648
• 241b0f4 Mark License, Security-Policy as commit-based (#1711)
• 3c92dec 🐛 Add GitHub committer verification (#1695)
• 57b4664 🌱 Bump cloud.google.com/go/bigquery from 1.28.0 to 1.29.0
• 4904b31 🌱 additional tests for github_workflow
• 3070b3c ✨ cmd: Allow new scorecard to be instantiated with options (#1703)
• d192c8e ✨ Add score to SARIF for all results (#1694)
• 3818dbe Update CODEOWNERS (#1701)
• 189cdc5 🌱 Bump actions/stale from 4.1.0 to 5
• 2381915 🌱 Bump crazy-max/ghaction-import-gpg from 4.1.0 to 4.2.0
• 13b9cc5 🌱 Bump actions/checkout from 2.4.0 to 3
• 84cdc8c ✨ cmd: Refactor to make importable (#1696)
• 738b246 Fix cmd panic (#1692)
• 8377294 🌱 Bump goreleaser/goreleaser-action from 2.9.0 to 2.9.1
• dd9ae7d 🌱 Bump actions/setup-go from 2.2.0 to 3
• 5e5abdc 🌱 Unit tests for github workflow
• ddb0fe3 ✨ Changed jsonScorecardResultV2 type Public (#1682)
• 4635570 🌱 Bump goreleaser/goreleaser-action from 2.8.1 to 2.9.0
• d71866c Update badges to correct package version and reference URLs
• c664364 📖 Included reference to the GoDoc
• 7956ff4 ✨ Miscellaneous refactors to ease downstream consumption (#1645)
• 7610519 📖 Adding missing documentation for Token-Permissions (#1656)
• 4c82c29 🌱 Bump github.com/rhysd/actionlint from 1.6.8 to 1.6.9
• 692c682 Refine copy for PR template and add a release-note code fence (#1678)
• 504f134 Update scorecard-analysis.yml (#1674)
• faeae41 🌱 Fixes the vulnerability GHSA-qq97-vm5h-rrhg (#1672)
• 5a1ab20 🌱 Fix containerd vulns
• d94a87d 🌱 Fix containerd Vulnerability (#1560)
• 808941a ✨ Token-Permissions, Allow contents: write permission only for jobs that are releasing (#1663)
• e41f859 Generalize CheckFileContent functions (#1670)
• 5656c3e 🌱 Ignore cron folder from codecov
• f616278 Generalize CheckIfFileExists fn (#1668)
• c03085a Remove duplicated function definitions (#1666)
• e5b62b5 🌱 Bump mvdan.cc/sh/v3 from 3.4.2 to 3.4.3 (#1665)
• 5dbc04a 🌱 Avoid duplicate builds

Thanks for all contributors!

Changelog

• 33f80c9 Fix golangci-lint issues
• 53bae3e feat: upgrade to ko v0.10.0
• 1306b34 🌱 Bump ossf/scorecard-action from 1.0.3 to 1.0.4
• 33a01f7 🐛 Add custom packaging workflow for Python
• bba55d4 🌱 Parallelize builds
• 1aff6db 🌱 Ignore docker builds
• 674146c Make verbosity levels case insensitive (#1650)
• db1d568 🌱 Remove building ko to speed up builds
• e6f6c56 🌱 Bump github.com/onsi/ginkgo/v2 from 2.0.0 to 2.1.3
• 4ebd8af 🌱 Bump github.com/onsi/ginkgo/v2 from 2.0.0 to 2.1.3 in /tools
• ba503c3 ✨ githubrepo: Allow providing an already authenticated transport (#1644)
• cda7a1b Add tests for graphQL costs (#1643)
• de5224b Update e2e tests (#1641)
• 2b206dc Remove Version field from LogMessage (#1640)
• 3551134 🌱 Parallelize the builds
• e7fd58d ✨ Check for secrets in pull_request_target (#1634)
• e3637c9 🌱 Bump cloud.google.com/go/bigquery from 1.27.0 to 1.28.0
• 1e488a8 Fix for repos which do not squash PR commits (#1637)
• f3332ce Add validation for commit-based APIs (#1635)
• eb0730a 🌱 Bump github.com/goreleaser/goreleaser in /tools (#1632)
• 394789c README.md: Add OpenSSF Best Practices badge (#1629)
• 2e3e505 Simplify DetailLogger interface (#1628)
• 38be00c Reduce query cost by analysing lesser associatedPR (#1624)
• 7de151c ✨ Check for secrets in workflows run on pull requests (#1615)
• 9b921f0 🌱 Bump actions/setup-go from 2.1.5 to 2.2.0 (#1619)
• 61e52d4 update workflow (#1617)
• 368c105 🌱 Bump cloud.google.com/go/pubsub from 1.17.0 to 1.18.0 (#1616)
• 6930c3a Add support for commit-based Scorecard (#1613)
• 1c95237 Only run allowed checks in different modes (#1579)
• eac2aec Add support for commit-based lookup to GitHub APIs (#1612)
• 68bf172 🌱 Unit tests fileparser/listing
• 30fc06e Fixed the formatting issue
• aaf7a9f 🌱 Cache builds between runs
• 049db38 🌱 Unit tests for dependency_update_tool
• 8733080 checks/packaging.go: ignore workflows/<>/ files (#1591)
• 95e7c03 Update the biweekly meeting times (#1603)
• 80cc0dd 🌱 Unit tests checks/ci_tests_test.go
• f84291d 🐛 Fix Dependabot check to accept .yaml file extension (#1601)
• 5e1fd52 🌱 Tweaking codecov config
• 35aad1d 🌱 Unit tests code-review for raw
• 674f747 🌱 Unit tests for vulnerabilities raw package
• 28bf341 📖 recommend nix-shell over nix-env
• 634643e 🌱 Unit test for fileparser/listing
• 88aa0e8 📖 Add make install to Environment Setup
• 4581c36 Remove ListMergedPRs API (#1566)
• 9037444 ✨ Raw data for code review check (#1505)
• 7032b19 Ignore all files under testdata/ (#1594)
• 0670b8b pkg/sarif.go: Add score in message (#1593)
• 009aa85 🌱 Unit tests for Vulnerabilities
• 05cedd7 🌱 Categorize the Makefile
• 79b216c checks/security_policy_test.go: updated unit tests (#1590)
• 24842de 📖 remove inaccurate claim about github rendering emoji
• 86d8281 Do not parse non-dockerfile (#1583)
• 2d0e538 Revert Committer.Name change (#1576)
• e4eb6d2 🌱 Unit tests for security policy
• 9d38be4 🌱 Bump ossf/scorecard-action from 1.0.2 to 1.0.3
• cbbfebb ✨ Mention renovatebot's settings (#1575)
• 3995d31 Refactor some code (#1567)
• fae5ff3 🌱 Unit tests for fileparser
• 58865e9 Only return PRs assicated with recent commits (#1562)
• 53f21cb README: s/Justin/Stephen (#1565)
• 6962fb4 Use committer name if login isn't available (#1558)
• 29b14f8 Fix nil-ptr issue in e2e tests (#1561)
• 70afae8 🌱 Remove dead code
• 4c266d7 🌱 Unit test for dependency_update_tool
• b4eec8e 🌱 Bump github.com/onsi/gomega from 1.18.0 to 1.18.1
• a69e1d9 🌱 Add Dart and Flutter CI systems to CI tests check. (#1548)
• 40a9d48 Link to responsible disclosure guidelines in Security-Policy remediation doc (#1545)
• 17467c1 🌱 Unit tests for binary_artifact (#1512)
• 15a204f 🌱 Bump github.com/goreleaser/goreleaser in /tools
• 074ba5a 🌱 Bump github.com/onsi/ginkgo from 1.16.4 to 1.16.5 in /tools (#1541)
• bd2171b 🌱 Bump github.com/golangci/golangci-lint from 1.42.1 to 1.44.0 in /tools (#1540)
• 10a5c1a 🌱 Bump github.com/goreleaser/goreleaser in /tools
• d2d9ff4 🌱 Bump golang.org/x/tools from 0.1.8 to 0.1.9
• 3d5a08d 🌱 Included dependabot setting for tools
• d50788f Add Slack channel badge (#1536)
• 5f9fff3 ✨ Separate check from policies for the Vulnerabilities check (#1532)
• 7a6eb28 Not considering an issue as having activity if closed recently (#1531)
• 16c0d37 🌱 CODEOWNERS: Add Stephen Augustus (justaugustus) as maintainer (#1530)
• e774015 🌱 Unit tests for Fuzzing
• 41adfe7 ⚠️ log: Initial logr/logrusr implementation (#1516)
• da116d3 🌱 Bump cloud.google.com/go/bigquery from 1.26.0 to 1.27.0
• 19a73a4 🌱 Bump ossf/scorecard-action from 1.0.1 to 1.0.2
• d4d81a0 🌱 Unit tests dependency_update_tool
• b6cba86 🐛 Issue activity only counts if done by a maintainer (#1515)
• 5b98576 🌱 Bump github.com/onsi/gomega from 1.17.0 to 1.18.0
• 4122c79 🌱 Unit tests for binary artifacts
• 8a64075 🌱 Fix the reflect.DeepEqual with google cmp
• 66a91dd 🌱 Unit tests for branch protection raw
• ab16cdb 🌱 Fix Vulns for containerd
• 90a0689 🌱 Unit test for fileparser
• 062e33b 📖 Dependabot config file link (#1498)
• 0d76dea go.mod: Update github.com/google/go-containerregistry to v0.8.0 (#1506)
• 13b78ab ⚠️ Create a dedicated logging package to encapsulate calls to zap (#1502)
• f4e9dfd 🌱 Unit tests for binaryartifacts
• 5777826 🌱 Bump github.com/google/go-cmp from 0.5.6 to 0.5.7
• 026d98e 🌱 Included e2e coverage for codecov
• c3589e8 📖 Updated codecov badge
• 2dcdbcd 🌱 Track code coverage
• 9973bde ✨ Unit tests for dependency update
• 96ea22e Add and use compressed Scorecard logos (#1492)
• fc87431 Add exemption to stale issue workflow (#1486)
• b8e054b 🌱 Bump goreleaser/goreleaser-action from 2.8.0 to 2.8.1
• 4837262 🌱 Bump ossf/scorecard-action from 1.0.0 to 1.0.1
• 5d3f198 ✨ Unit test for SAST (#1482)

Thanks for all contributors!

Includes a patch to fix scorecard version in Scorecard Docker image and some documentation changes.

What's Changed

• 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 from 2.0.3 to 2.0.4 by @dependabot in https://github.com/ossf/scorecard/pull/1475
• 🌱 Bump ossf/scorecard-action from 0.0.2 to 1.0.0 by @dependabot in https://github.com/ossf/scorecard/pull/1478
• 🐛 Fix scorecard version in Scorecard Docker images by @azeemshaikh38 in https://github.com/ossf/scorecard/pull/1480
• 📖 Olivekl v4 doc updates by @olivekl in https://github.com/ossf/scorecard/pull/1481

Full Changelog: https://github.com/ossf/scorecard/compare/v4.0.0...v4.0.1

Description

This release of Scorecard provides bug fixes, enhancements and new features and many other changes. The project remains available via a docker image.

Release Notes

New code features and enhancements

• A new Scorecard GitHub Action
• New checks: License and Dangerous-Workflow
• Improved scoring system for complex checks like Branch-Protection, Token-Permissions
• Improved Fuzzing check to support ClusterFuzzLite
• Added support for new SAST tools like LGTM and SonarCloud in SAST check
• Support for local code repository (using --local option)
• Improved parsing of GitHub workflows
• Improved test coverage
• Scaled weekly cron job repos to analyze ~1M projects

Scaling

• Weekly scans for ~1M GitHub repos with critical ecosystems dependencies from deps.dev.
• Weekly scan results are available in a BigQuery table in the JSON format.

LTS

• Complying with the v3 release announcement, the format of the weekly scans remains unchanged and will be available at least until the end of 2022.

Contributors

Huge thanks to all community contributors

@laurentsimon, @naveensrinivasan, @chrismcgehee, @azeemshaikh38, @asraa, @olivekl, @evverx, @developer-guy, @oliverchang, @varunsh-coder, @david-a-wheeler, @imjasonh, @nanikjava, @JamieMagee, @lehors, @r0mdau, @cpanato, @dota17, @Juneezee,

New Contributors

• @varunsh-coder made their first contribution in https://github.com/ossf/scorecard/pull/1326
• @dota17 made their first contribution in https://github.com/ossf/scorecard/pull/1341
• @lehors made their first contribution in https://github.com/ossf/scorecard/pull/1312
• @JamieMagee made their first contribution in https://github.com/ossf/scorecard/pull/1378
• @imjasonh made their first contribution in https://github.com/ossf/scorecard/pull/1392

Mailing lists

• Stay updated with new releases and other announcements by joining [email protected].
• Ask questions, get access to design docs, etc. by joining [email protected].

Full Changelog: https://github.com/ossf/scorecard/compare/v3.0.0...v4.0.0

Changelog

aa634bd2518328ceb1c80305c2c9008f1c176da4: 🌱 Fixes the broken e2e (@naveensrinivasan)
53ae5830968b635e94cdb95789f5b850f55ff7cb: Remove obviously invalid URLs from porjects.csv (#1165) (@azeemshaikh38)
0ba864e9c2062186bcd6f5ed0a14784d40b38e86: Avoid panic in code (#1171) (@azeemshaikh38)
d9e35cda2ac4227efecbf22988ac5745290c015d: 🐛 Fix flaky tests in cron/data/add (#1185) (@laurentsimon)
4cca9b4960bcbe59e0e2d0fdae1b5a7e34c5eee9: ✨ Implement local repo client for local folders (#1146) (@laurentsimon)
c73c5628ea96b460809301db68a59e082d12a3c4: Fix GitHub workflows failing (#1172) (@azeemshaikh38)
87359619c7340e1eefe0c051c3cccd80f1c69089: Update shard naming to allow for 1M+ shards (#1170) (@azeemshaikh38)
608866949b237ab178ee59ec49c16f07cb2d898e: 🐛 Fix ListFiles caching in localrepo client (#1190) (@laurentsimon)
b08a4a8ca7f8eee18a25be378b8f728a3467a2c5: Increase worker replicas (#1173) (@azeemshaikh38)
1db0f9745f2947a74a7bcff38e2f445486731d01: Sanitized repo URLs ~1M (#1182) (@azeemshaikh38)
138552848d7c7ec2fd5885a3d38c8a30637b06d5: Remove Repo CPU runtime stat logging (#1186) (@azeemshaikh38)
92dff665a42cd4d864707dffa5775573a20b0db0: 🌱 Bump distroless/base from 56d73a6 to 46d4514 (#1176) (@dependabot[bot])
ed2ef299f166bea3e3292dc1100bdc2f5cc10695: 🌱 Bump distroless/base in /cron/webhook (#1177) (@dependabot[bot])
6467b31c4c6b0699d6e54a9b3c3ff4215b6c62f3: 📖 Update CODEOWNERS (#1189) (@r0mdau)
52ce50c2b50c772063223df489264ff13f682b5d: 🌱 Bump distroless/base in /cron/worker (#1193) (@dependabot[bot])
148446bb835655ee63fedebd42efd3420dab96b6: 🌱 Bump distroless/base in /cron/controller (#1192) (@dependabot[bot])
83649a799ec4a7953a3180297311c4427edd0474: Remove repos package (#1191) (@azeemshaikh38)
a53245a9fc4d90aa0f58ca5d32f356cce8e02e8a: 🐛 Fix broken e2e tests for Binary Artifacts (@naveensrinivasan)
c7511206a15deebf1c613849435878a75e1524db: 🌱 Reproducible builds in goreleaser (#1198) (@naveensrinivasan)
69f9774b932868e21609b16c3f755176c2d5d12e: Store metadata in BigQuery (#1197) (@azeemshaikh38)
d3796f29b1c83695ee38a187f90cff71ac72cd09: ✨ Add ClusterFuzzLite to Fuzzing check. (#1166) (@oliverchang)
1cc8601c2c8717699b04ba751cbf900b49087da8: 📖 Included the meeting minutes (#1202) (@naveensrinivasan)
ff316e1f978b83bd257487a2d871ac9eca449726: 🐛 Removed the Binary Artifact (@naveensrinivasan)
a6d298a60a65bf2a6ddc7db3690ae25fe186829a: ✨ Use checks.yaml to store which repo types are supported by each check (#1195) (@laurentsimon)
257d99e1c65aad07484336ad09bfed90ade35799: 🌱 Fixed the failing tests (@naveensrinivasan)
8a83a81fd7c5b1873365f1159f1c41681dd10476: ✨ Validate check.yaml's repo interface support (#1210) (@laurentsimon)
59edb12f2a3d39e0dabac75e3b37fae9166c05b5: 🐛 Use only olivekl@ in CODEOWNER (#1212) (@laurentsimon)
8805ac54d05976a6162e7258e0dde8f00d26d6bc: ✨ Add --local option to CLI (#1211) (@laurentsimon)
6562cc1f4488c7a018b5c6b4e031f990058d95a2: 🌱 Bump actions/checkout from 2.3.5 to 2.4.0 (@dependabot[bot])
2006be181938b541cf68f76aec8496db10fc46fd: 🐛 Token permission check was failing on non-yaml files (@chrismcgehee)
ddd770ae143b582ae04cd1e1bc82f2e50bfe20ff: 📖 Updated the community links (#1216) (@naveensrinivasan)
af594d39210f97029cd207e32b703939cf42b177: spelling (#1219) (@laurentsimon)
67f070f73c31fb38684774729bbd3501b2b462c5: remove action (#1223) (@laurentsimon)
4ee366eb0ff1425f68295d1b6d9e67f59e58f393: 🌱 Move docker build checks to ko (#1214) (@naveensrinivasan)
b3ac52a06b7870133b39996972a911e8b2124642: PR support (#1227) (@laurentsimon)
f319aca82d5fd2238c37073e73de8b5172f660fb: Moving github worflow parsing to its own file (@chrismcgehee)
3dc507b9e1bc99ea3327251ea9e1a715eb5b665d: Using library to parse github workflows (@chrismcgehee)
09b7b3bd3de54001674cb13b1f812bef796c140c: ✨ Pull request support for GitHub action (#1222) (@laurentsimon)
4fbd0fe93ec800e42fddf6a66a39298c76a829bb: Adding Chris as facilitator (@chrismcgehee)
929fd6e9e4d5214bbed2c627d80fcbeb5f833c6c: deterministic sarif gen (#1233) (@laurentsimon)
ae271b451366bee8aa3fd76daaf1582e81eb2c1b: 🐛 Validate doc on pre-submit (#1235) (@laurentsimon)
6a2fb2edc25c41b08d15c91b3b2a77861bca769b: Add LGTM to the SAST check (#1232) (@evverx)
5524c9717b2f51480c4be4d273df70e497e2b49d: SAST: no longer skip "neutral" checks (#1237) (@evverx)
795505fd7f1989ed2620149e204c32d5cb1b43f7: ✨ Remove isScorecardRepo (#1236) (@laurentsimon)
46611eac5d69cc3d3a5188b59f91e982a01b0bab: Security-Policy: really look for the security policy (@evverx)
9dfac392230856d2bfff34f942adb00d80e0bad9: Fix the way diff is shown (#1249) (@azeemshaikh38)
ab2bb205d4f94d1c484220ed34a47882442fc8ed: Fix nil-ptr access bug (#1248) (@azeemshaikh38)
c8d2a513750239eb51f0e2f7133f0226cf6c67d4: Ignore nil values in Branch-Protection check (#1243) (@azeemshaikh38)
177502552a5e150c6a590b2f492d54b5f229ccfc: 🌱 Move from io/ioutil to io and os packages (#1250) (@Juneezee)
51de6b6e5d9b025561b15c30cbb498bf31101427: Check for issue activity in Maintained (#1251) (@azeemshaikh38)
16cd53de44ac7b3bc0d9619548bb3f03c049a72d: make install was not installing to GOPATH (@chrismcgehee)
d4904555b49d033a4b66ca88c4750a7857ffc891: CI-Test: stop assuming either "statuses" or "check runs" are used (#1259) (@evverx)
6223b6620ad5b268f99f5a6daf21b766799cdda6: Add CIIClient interface (#1262) (@azeemshaikh38)
72e20a076c4b59e59799b2bbcd1468fb504a2018: Add repoClient.Close for all e2e tests (#1265) (@azeemshaikh38)
5950fdef67d58f7aaebd68d005e0d3c92200297f: 🐛 fix special character in search query to fix fuzzing check (#1241) (@asraa)
4dde35632906a5d0e0484503c1a7cb58b4214425: Fix nil-ptr dereference (#1269) (@azeemshaikh38)
1050b1cd607b3686641c96ac071ae6774e60588f: ✨ Add dangerous workflow check with untrusted code checkout pattern (#1168) (@asraa)
63e3b92466f0403159c02f1ccedd43f9400e8b26: fix (#1277) (@laurentsimon)
4502dfb55787891d555682c1c5f6e3f83fa1d236: ✨ Reduce false positives in Token-Permissions for contents permission (#1253) (@laurentsimon)
71e8698617d25b006cf0935da5e1fb5487bff292: Add a cron job to copy CII badges data (#1278) (@azeemshaikh38)
a05ac54b67beafa69708ce4867f7f2ad32fe402a: 🐛 Fix the reproducible builds (#1282) (@naveensrinivasan)
86835fcfd6559479f603ef623d6c0948f5dae4b2: 🐛 Fix branch protection results (#1252) (@laurentsimon)
4bd24b829148ff80510e8b1a14cd998f5cafdee6: Including line number: Dockerfile FROM not pinned (#1258) (@chrismcgehee)
cc4949465b6730ee398e49a096e0132f02078372: ✨ [Check split]: Binary-Artifacts (#1244) (@laurentsimon)
0bd575641dc1a59d2971e0ffad8598965ea289cb: Binary-Artifacts: no longer complain about ".bin" files (#1288) (@evverx)
0b32cc313854146f53594186554b3539f539ae04: Fix broken e2e tests (#1291) (@azeemshaikh38)
2375ae2812319adc902f917cbdc51032b3290c54: Add a OssFuzzRepoClient (#1280) (@azeemshaikh38)
0339eeadc2dfea9765993eca4944590cb792c59b: 🌱 Fix integration test runs (#1286) (@naveensrinivasan)
8fae5b10bd9d12138af53d08ebe4416b028a7b84: Fix more nil-ptr dereferences (#1295) (@azeemshaikh38)
b4e32052fe3b6d2f8d56f6dd95f2661b3b87fca7: ci: drop trailing whitespaces (#1292) (@evverx)
e15e7b1ca5f981fcb726756b181df1f3f78b7f04: More nilptr issues (#1296) (@azeemshaikh38)
9878c4e61e1686ccce5625cff80e4775f072b1b2: Randomize the repos tested during release test (#1299) (@azeemshaikh38)
89b316c64d9384a3e049b636d98a43b7a7c2be16: Use blob-based CII client in cron job (#1284) (@azeemshaikh38)
08a78762da5a040c137ba9d2b4d34e2a2a3659d1: Run Dangerous-Workflow in release tests (#1301) (@azeemshaikh38)
5025299eb686e8ebaf1de95a52cab5926b0c204c: Fix issues with CII client (#1309) (@azeemshaikh38)
6e7e13ede4a15e085edb789781409e3ac9883cdb: 🌱 Fix vulnerabilities in dependencies (@naveensrinivasan)
10ee2c069fd8888b2ec127d750a71cd4be037dbe: Use pull_request_target + protected env for e2e (#1308) (@azeemshaikh38)
730076fab1232ce5df0563f25dc952f80177f377: 🐛 fix dangerous workflow test and workflow parsing (#1283) (@asraa)
9d2976592fd04d1b5357ad1532b463fc6c4824e5: Signed-Releases: really look for *.sign files (#1298) (@evverx)
fd8731481f5d953f0bba8d1cb99ff99e3b7daf85: ✨ Update score for branch protection with levels (#1287) (@laurentsimon)
67c5e933d0e3731ee660846f38912596d7a5ccde: fix (#1318) (@laurentsimon)
23b0ddb8aa96356321cf31a2709723e29b15a951: fix (#1316) (@laurentsimon)

Thanks for all contributors!

Changelog

6f1a1cb1f4f969dc2806de46b32295997b381a31: 📖 Update README.md (#1160) (@olivekl)
c13783a040287f120146d62e86d88dcb6ed5cbdd: 🐛 Fixing parsing for Github workflow when matrix is an expression (@chrismcgehee)
faab6969d65d1ca227ebda2ff851254fc24ded40: Improve formatting, readability (@chrismcgehee)
6f1a43a0b60f2473991e21153d26e58e586b98e0: 🌱 add google/ko support for building/pusing container image (#1127) (@developer-guy)
1b885874ac1067457a75f613e5c95a8bed6ec0a2: 🌱 Fix CVE warning for containerd (@naveensrinivasan)
fd238d0e40ebc898e4aa592ad133b1f15687384f: 🌱 Fix goreleaser permission and flags (@naveensrinivasan)

Thanks for all contributors!

What's Changed

• 🌱 v3 upgrade changes by @naveensrinivasan in https://github.com/ossf/scorecard/pull/1118

Full Changelog: https://github.com/ossf/scorecard/compare/v3.0.0...v3.0.1

Description

This release of Scorecard provides bug fixes, enhancements and new features, including many changes that are not compatible with earlier versions of Scorecard. The project remains available via a docker image.

Release Notes

API changes

We are experimenting with new APIs based on user feedback to improve clarity and usability. Please try them out and leave us feedback on the scorecard repository!

New code features and enhancements

• Numeric scoring and risk categories replace Pass/Fail.
• Aggregated score.
• Improved JSON output (--format json | jq).
• New repo interface to simplify the future integration of other code versioning systems besides GitHub.
• Use GitHub v4 (GraphQL) APIs instead of REST API to improve performance and efficiency.
• Improved documentation (checks and main README).

Removal

• Support for CSV format has been removed. Please use the JSON format to upgrade.

Scaling

• Weekly scans for 200k GitHub repos with critical ecosystems dependencies from deps.dev.
• Weekly scan results are available in a BigQuery table in the new JSON format.

LTS

• Weekly scans that output the older JSON format will continue until 31 March 2022.
• Weekly scans that output the new JSON format will be available at least until the end of 2022.

Huge thanks to all community contributors

@naveensrinivasan, @chrismcgehee, @nanikjava, @rsprabery, @slugclub, @nathan-415, @neil465, @notanton, @ben-moss, @evalphobia, @johanbrandhorst, @iamamoose, @david-a-wheeler, @olivekl, @asraa, @loosebazooka, @meder, @oliverchang, @azeemshaikh38, @laurentsimon

Mailing lists

• Stay updated with new releases and other announcements by joining [email protected].
• Ask questions, get access to design docs, etc. by joining [email protected].

Full Changelog

https://github.com/ossf/scorecard/compare/v2.0.0...v3.0.0

Changelog

3cbe7b2 Consistent -ldflags across go build (#1070)
06c14a6 Minor fixes to README.md (#1066)
6b9010e changes (#1062)
2c16597 Fix GitVersion in cron job (#1065)
1d3f3e3 gpg-private-key in goreleaser (#1064)
9df865c Regenerate docs/checks.md (#1061)
42e2b98 🌱 Bump actions/github-script from 4.1.0 to 4.1.1
0074111 Fix CodeReview bug (#1058)
fb77e42 ✨ Per-check score threshold for SARIF (#1057)
0686ed2 🐛 Fix invalid code review (#1055)
aa93ac2 Modify the text to acknowledge GitHub != universe (#1037)
5655cbb ✨ Add aggregate score to cron JSON (#1050)
b9daae1 🐛 Update message for Code-Review (#1054)
91eb41e 🌱 Check for OSV for a go.mod changes (#1053)
075cf0c 150k+ repos and num_dependents_deps.dev metadata (#1052)
5d6a7cd ✨ Add policy file (#1002)
90332a9 🌱 Add counting of shell parsing errors (#1026)
44dd10d 📖 Olivekl patch 1 (#1039)
d4caef0 🌱 Fix GO-2020-0020 (#1047)
14dc32f Enforce non-concurrent token usage (#1048)
5fb87cb 🌱 Bump golang.org/x/tools from 0.1.5 to 0.1.6 (#1041)
39bd00c ✨ Add aggregated score (#1046)
fd6e58d 🌱 Fixes GO-2020-0017 OSV (#1045)
51e11e6 🌱 Fix GO-2021-0089 vulnerability
bc5d7a8 📖 Improve text on Packaging (#1035)
ea77ab7 fix prev PR (#1033)
45fb779 📖 Improve explanation about multiple reviewers (and their lack) (#1017)
34b97e3 ✨ Update k8's transfer releasetest-v2 (#1023)
e1a6e7d 📖 Fixed the docs for dependabot
9e81b5f 📖 Fixed the dependabot check message
30cae86 📖 Warn when checks are prone to false negatives (#1019)
1e4f723 🌱 Fixes permission for main.yml action
8b7da7c 📖 Improve rationale for Binary-Artifacts (#1016)
646b339 Explain that active maintenance isn't always needed (#1013)
6868fe6 Note that pinning is a way to mitigate dependency confusion (#1012)
6fb92a3 add version for cron (#1011)
afb01f4 Fix CII Best Practices badge info (#1010)
aa2ed45 📖 Docs: Pinned dependency doc 2 (#1004)
6178207 ✨ Update cron's JSON format (#1001)
b6cd4cf Fix CONTRIBUTING.md for doc updates 📖 (#1007)
a5a6a30 README.md: Add hyperlinks to docs/checks.md (#1008)
b0fab3f code (#1006)
4c4fb61 🌱 Bump cloud.google.com/go/pubsub from 1.16.0 to 1.17.0 (#992)
0590b03 ✨ change message to make it more easier for user (#1003)
ba53081 Tweak "pinned dependency" discussion (#999)
cc044ca 🌱 Bump go.uber.org/zap from 1.19.0 to 1.19.1 (#993)
bc37c74 Remove Owner/Repo strings from CheckRequest (#997)
e730e91 sce.Create -> sce.WithMessage for wrapcheck (#995)
1cb8c06 Bug in Makefile generate-docs (#996)
d6174db semantic version (#991)
af24ed4 🌱 Included codeql check for GitHub Actions (#988)
870db56 Cleanup documentation code (#981)
1da121d ✨ Give low importance to github-owned actions (#802) (#906)
576447a 🌱 Fix the jwt finding
924d4d5 📖 Update README.md (#976)
2b15b13 🌱 Moving tools dependencies to separate go.mod
1c7ba79 🐛 Github workflow steps run on Windows should default to pwsh as its shell (#877)
a3d63bf 🌱 Updated actions permission for codeql (#964)
942c4cf 🌱 Bump crazy-max/ghaction-import-gpg from 3.2.0 to 4 (#971)
0aa4305 🌱 Bump github.com/golangci/golangci-lint from 1.42.0 to 1.42.1 (#973)
5476b87 ✨ Removed unnecessary linters (#969)
f220924 🌱 Bump distroless/base in /cron/worker
29b7bd3 Parsing GitHub Workflows should only happen on yaml files
2ae8910 📖 Fixed the deadlink to the documentation (#963)
fda87a4 Fixed typo reepo to repo
f55b86d 🌱 Bump peter-evans/slash-command-dispatch from 2.2.1 to 2.3.0 (#955)
e30d9e5 🌱 Bump gocloud.dev from 0.23.0 to 0.24.0 (#956)
b847d54 🌱 Bump distroless/base in /cron/controller (#961)
0620758 Updated go get to go install (#953)

Changelog

7b912e8 Return DefaultBranch as part of ListBranches (#960)
830c4f5 100k cron job repos (#958)
afe5b40 Make RepoClient as default interface for Scorecard (#951)
1434977 :sparkling: Upgraded to go 1.17
eceb577 Add and use RepoClient API for ListStatuses (#949)
eb2b3b2 Add RepoClient API for ListCheckRunsForRef (#948)
8f5e742 ✨ Improve JSON format (#934)
b5e4c77 🌱 Bump distroless/base from 19d927c to a74f307 (#945)
992775e 🌱 Bump distroless/base in /cron/webhook (#946)
dcbf752 🌱 Bump cloud.google.com/go/bigquery from 1.21.0 to 1.22.0 (#939)
dcbfb3c Fix syntax bug in CloudBuild YAML (#947)
df2acb4 Add COMMIT_SHA to Scorecard docker image (#944)
d6b6012 Specify fractions instead of percentage (#943)
99b9c91 Use RepoClient API for Packaging check (#940)
bb6e010 ✨ Decouple scorecard json from cron json (#941)
001ba67 🌱 Bump github.com/jszwec/csvutil from 1.5.0 to 1.5.1
d6ba2cd Fix #890 (#938)
e305a94 Use ListReleases API for BranchProtection check (#937)
9a1978a Use RefUpdateRule in BranchProtection check (#936)
d9f5209 Update test utils (#933)
dbb2345 ✨ Add line number to unpinned dependency: GitHub workflow "uses" field (#821)
ee6acdd Syntax bug in k8s file (#931)
915bad8 🌱 Bump distroless/base in /cron/worker
95c2df2 🌱 Bump distroless/base from bc84925 to 19d927c in /cron/bq (#926)
51016ea 🌱 Bump cloud.google.com/go/pubsub from 1.15.0 to 1.16.0 (#904)
c1edcea Use a completion threshold for BQ transfers (#930)
f40fa63 🌱 Included race flag to tests (#921)
d9b4188 🌱 Bump distroless/base in /cron/webhook
5b74c04 🌱 Bump distroless/base in /cron/controller
fe54c51 Only call GitHub APIs when needed (#918)
c9a617b 📖 Expand "Motivation" section (#924)
37696ac Create and use MockRepoClient in unit tests (#922)
50fd921 🌱 Fix the dependabot settings
f2afdba 🌱 Bump actions/setup-go from 2.1.3 to 2.1.4
b93f385 🌱 Bump distroless/base from ccbc79c to 19d927c
788fd33 ✨ Add JSON unit tests (#915)
e083f04 🐛 Fix date cron issue (#914)
d8e49e0 Remove unwanted dependencies (#913)
9eb7929 🐛 Address friction logs' comments (#899)
1c7c1e3 Fix bug in shardNum calculation (#910)
2d65ab4 Remove ErrRepoUnavailable (#908)
b89808f Pin protoc by SHA (#909)
e73f08e Fix nil ptr dereference (#907)
cc30d54 Use arduino/setup-protoc for installing Protoc (#903)
8cf95c4 Use singleton pattern for OSS-Fuzz (#902)
41d0ce3 Replace errors.As with Is (#901)
46a655d Fixes for Branch Protection (#900)
7bc2e00 🌱 Bump peter-evans/find-comment from 1.2.0 to 1.3.0 (#893)
ad134ac ✨ Add hash to results (JSON, SARIF) (#892)
6403eb1 ✨ Transition Packaging, SAST, Security-policy, Signed-releases check to the new structured detail format (#887)
b731f45 ✨ Transition Vulnerabilities, Permissions, CI-Tests, Dependency-Update-Tool, Code-Reviews to structured details (#889)
27c5821 Update README.md (#888)
aea1249 Add ephemeral-storage to cron worker (#885)
276155d ✨ SARIF 4: Add support to output SARIF format (#866)
d1de6cf support v3 (#883)
bb70e15 Remove token-heavy checks from cron job (#882)
77a4160 🌱 Bump github.com/onsi/gomega from 1.15.0 to 1.16.0 (#879)
b7c0d03 Handle GitHub repos with redirects (#876)
42700ee 🌱 Bump actions/github-script from 4.0.2 to 4.1
c73b28f ✨ fix: add github.com as default for owner/repo parameter (#872)
c54d77b 🐛 Only validate shell scripts supported by our parser (#862)
04e8bcf 🌱 Bump cloud.google.com/go/bigquery from 1.20.1 to 1.21.0 (#870)
1c9a255 Update docs to use :stable release (#865)
fa4e8a4 🌱 Bump github.com/golangci/golangci-lint from 1.41.1 to 1.42.0 (#869)
e7d9ec5 🌱 Bump cloud.google.com/go/pubsub from 1.14.0 to 1.15.0 (#858)
63a8fc7 Nil pointer dereference (#864)
cf01ea6 Fix nil pointer dereference bug (#860)
dbdcd4b ✨ SARIF 1: add structured detail (#843)
0a0d292 ✨ SARIF 3: add flag to yaml (#853)
13ef9dd Use RepoClient.Search API in SAST check (#857)
23764f0 ✨ Upload cron results to a table with new format (#830)
b3a3f7e ✨ SARIF 2: add short description to checks.yml (#848)
7233742 🌱 Bump go.uber.org/zap from 1.18.1 to 1.19.0 (#834)
42ee430 Use RepoClient API for Fuzzing (#855)
4c585f2 Fix nil pointer bug (#856)
8baaaa4 Use RepoClient API for Contributors check (#854)
b7ddc9a Update go-github version for consistency (#852)
d4701c4 Delete Signed-Tags check from Scorecard (#851)
29fbdae Enable automated e2e testing and releases (#850)
3f9431d Update SignedReleases to use RepoClient API (#844)
e160d4a 📖 Fixed the typos and rephrased some (#849)
7790d70 Use consistent golang image across Dockerfiles (#847)
cc312f2 ✨ feature: branch protection without admin token (#823)
a10baab 🌱 Bump golang from 5cdc91c to 3c4de86 (#846)
cbc556f Append changelog to new releases (#838)
eeb563b Update SAST and CITest with Repoclient API (#842)
5bcc1fd populate old details (#841)
977c2b8 Log runtime failures in cron job (#840)
20370f7 🐛 Look for organisation default .github security.md files in all the locations they are allowed to be in (#837)
ee8e402 🌱 Bump github.com/google/go-containerregistry (#832)
4fcb0a3 Fix a bug in flag parsing (#836)
0f6cbc1 🌱 Bump cloud.google.com/go/pubsub from 1.13.0 to 1.14.0 (#833)
6cc4135 Remove false log statement (#835)
bbf99ad 🌱 Bump cloud.google.com/go/bigquery from 1.19.0 to 1.20.1 (#820)
0561c15 Post to webhook on successful cron job completion (#829)
bc67dd3 Create a webhook for tagging Docker images (#828)
ce7d4c3 Update BQ query in README.md (#831)
a2e34ed 🌱 Bump crazy-max/ghaction-import-gpg from 3.1.0 to 3.2.0
ef9880c 🌱 Implemented ignore for license check

Scorecard v1.1.1 release notes

Changes since v1.1.0

• The scorecard releases are signed with gpg keys 🔑
• Scorecard adds json response to the http endpoints.
• This release included scanning of 2000 additional GitHub repositories.
• The docker image of scorecard is published at GitHub Docker registry.
• The dependent libaries were upgraded github.com/spf13/cobra from 1.1.1 to 1.1.2 and github.com/spf13/cobra from 1.1.2 to 1.1.3
• There were improvements to the e2e testing.
• The minor bug fixes to the existing scans.

Thanks to all our contributors! 😊

Changelog

7ab314d Fix - dependabot githubactions location
bcf8d0d Fix - dependabot yaml error
4ad4a42 Feature - enabled dependabot for githubactions
f385b0d Feature - run scans from npm pacakge name
0d77d89 Fix - tarball URL trailing slash
038e3b6 Bump github.com/onsi/gomega from 1.10.4 to 1.10.5
717701b Bump github.com/onsi/ginkgo from 1.14.2 to 1.15.0
8493b0b Add remediation steps for various checks.
93373f7 Fixes - Incorrect result for branch protection
2a1463b Feature - Report codecoverage to codecov.io
09b83b9 Fixes
33e9189 fix - panic on nil
c00aa4b Add e2e tests for remaining checks.
bcaa2e7 Lint fix.
b5096bf Fix backslash.
b278475 Fix CodeQL failure.
5b7ddc5 Add e2e test.
dc8d1fe Add packaging check.
c4c99cd feature - Included the e2e into the PR workflows
91bfea5 feat - Close stale issues
1d26654 Document - Included instruction for GITHUB_AUTH_TOKEN
1700c3a feature - Pull request template (#127)
b11fad8 feature - Included the status badge in README (#125)
7b740ce fix - Handle nil structs in branch protection (#124)
9d4e5c0 feature - CODEOWNERS for github branch protection feature (#123)
fcf0ac4 Merge pull request #119 from naveensrinivasan/feature/protected-branches
3191c55 Update README.md
938b9f2 Merge branch 'main' into feature/protected-branches
b506c6f Merge pull request #122 from ossf/b5
650fe0a Update README.md
3c94ffa Remove releases from active check.
5d84b86 Merge branch 'main' into feature/protected-branches
b86fae0 Fix https://github.com/ossf/scorecard/issues/121
9ce57c0 feature - Checks for branch protections
15a1ba0 feat - nonroot docker container (#114)
9e0388f Merge pull request #118 from naveensrinivasan/feature/update-readme
c5c51b9 feature - Update the CONTRIBUTING guidelines
b216a1e Feat - implemented goreleaser for releases (#117)
f77da77 feat-e2e tests for signed tags and signed releases (#115)
3df1191 Create Dependabot config file (#116)
ddc82c6 Add --show-details to the cron job. (#113)
329a4cf Merge pull request #109 from moorereason/release-tagname
88d5218 Use release tag name instead of name in log messages
a239820 Merge pull request #108 from moorereason/iss95-ci-tests
39464a5 Refactor CI-Tests to show negative results
7937da4 Merge pull request #103 from naveensrinivasan/fix/golangrun-ci-issue
9b1e28e Merge pull request #106 from ossf/b3
2d348a7 Merge pull request #105 from naveensrinivasan/feat/makefile
91780fd Allow skipping scheme, fix regression.
a56f707 Feat - Implemented Makefile and actions for PR
06f2616 fix - golangci-lint issues
c308663 Merge pull request #102 from naveensrinivasan/fix/shellcheck
3de6a1b fix - shellcheck violations for cron.sh
6549ecc Create codeql-analysis.yml (#101)
f7cb4d7 Merge pull request #100 from naveensrinivasan/fix/http-path
4362368 Tests updated to include validation for parsing
fd3a2a8 fix - URL with trailing slash
6b80b78 Merge pull request #98 from moorereason/iss95
ac55575 Adjust details logging on a few checks
348bedb Show negative results in Signed-Releases details
eb0d488 Show negative results in Signed-Tags details
4ec34e9 Show negative results to Pull-Requests details
1991617 Merge pull request #94 from ossf/b3
7a10bed Improve SAST check.
c5abb92 Merge pull request #91 from ossf/a12
87d6954 Merge pull request #92 from ossf/b1
0bcd8ea Improve fuzzing check.
ab2c9d4 Add support for yarn, composer in frozen deps check.
983e406 Merge pull request #90 from dlorenc/moreprojects
cd16def Add 50 Google projects.

Initial open source release.