scorecard

OpenSSF Scorecard - Security health metrics for Open Source

APACHE-2.0 License

Downloads
77
Stars
4.2K
Committers
139
View Code on GitHub Visit Website
Ecosystems: Go

Bot releases are visible (Hide)

scorecard - v5.0.0-rc2 Latest Release

Published by spencerschrock 5 months ago

[!IMPORTANT]
This is a v5 prerelease candidate. There may be more breaking changes before the official v5.0.0 release.

What's Changed

Structured Results

Check Enhancements and Bug Fixes

  • Signed-Releases
    • 🐛 Fixed a Signed-Releases bug where more releases were being analyzed than intended. (#4060, @spencerschrock)
  • Code-Review
    • 🐛 Fixed an issue where Phabricator reviews weren't being parsed properly. (#4086, @spencerschrock)

Breaking Changes

  • ⚠️ errors in ErrXXX format by @cmwylie19 in https://github.com/ossf/scorecard/pull/4040
  • ⚠️ Enables maintainers to write annotations for Scorecard checks and consumers to view these annotations in Scorecard UI. (experimental #3905, @gabibguti)

Docs

Other

New Contributors

Full Changelog: https://github.com/ossf/scorecard/compare/v5.0.0-rc1...v5.0.0-rc2

scorecard - v5.0.0-rc1

Published by spencerschrock 6 months ago

[!IMPORTANT]
This is a v5 prerelease candidate. There may be more breaking changes before the official v5.0.0 release.

What's Changed

Structured Results

We invite users to try out a preview of Structured Results, the main feature from this release candidate. For more details on the feature, please check out the first paragraph of our probes README as well as our blog post (coming next week).

At a high level, structured results involves breaking the existing 19 Scorecard Checks into individual heuristics so users can pick and choose which ones they care about. You can see a list of all supported probes by checking out the probes/ directory. To run individual probes, use the --probes CLI flag with a comma separated list of names. You must also specify the --format probe option to see the results. Please run scorecard --help if you need more details.

Example:

scorecard --repo github.com/ossf/scorecard --probes archived,fuzzed,hasLicenseFile --format probe

Check Enhancements and Bug Fixes

  • Branch-Protection
    • ✨ Branch Protection check now also evaluates if the project requires PRs prior to make changes to the branch. This won't change anything for the users that already require reviews, but will enable score enhancement for those who can't require reviewers. (#3499, @diogoteles08)
  • Dependency-Update-Tool
    • ✨ Dependency-Update-Tool now detects Renovate config files in a .gitlab folder. (#3823, @spencerschrock)
    • 🐛 Sonatype Lift is no longer recognized as a Dependency-Update-Tool because it is retired. (#3605, @spencerschrock)
    • 🐛 Dependency-Update-Tool: ignore search commit data for repo clients which dont support it by @spencerschrock in https://github.com/ossf/scorecard/pull/3756
  • Fuzzing
  • Pinned-Dependencies
    • 🐛 Pinned-Dependencies now continues after encountering runtime errors (#3515, @pnacht)
    • 🐛 Scorecard no longer considers unpinned Dockerfiles in vendor and third_party directories. (#3675, @AdamKorcz)
    • 🐛 Files downloaded by Git SHA from GitHub and executed are no longer considered as not pinned by hash. (#3694, @martincostello)
    • 🐛 Shell commands in Dockerfile here-documents are now parsed correctly by the Pinned-Dependencies check (#3774, @jkreileder)
  • Signed-Releases
    • 🐛 Fixed a bug which allowed some repos to score higher than 10 in the Signed-Releases check. (#3768, @spencerschrock)
    • ✨ Support .sigstore bundles to check for signed releases (#3772, @edgarrmondragon)
  • Vulnerabilities
    • 🐛 Projects without dependencies or packages no longer throw an error for the Vulnerabilities check. (#3803, @spencerschrock)
    • 🐛 Go stdlib vulns are removed Vulnerabilities check output (#3925, @spencerschrock)

RepoClient Improvements

  • GitHub

    • 🐛 Scorecard processes commit activity from large GitHub repos in chunks to avoid timeout issues (#3680, @spencerschrock)

  • GitLab

    • 🐛 Fix scanning for GitLab private repositories. (#3596, @gabibguti)
    • ✨ Added --commit-depth support for GitLab repos (#3672, @ashearin)
    • 🐛 Parse Gitlab Status fields to align w/Github Status and Conclusion by @ashearin in https://github.com/ossf/scorecard/pull/3706
    • 🐛 Fix signed release error for empty gitlab repo by @naveensrinivasan in https://github.com/ossf/scorecard/pull/3753
    • 🐛 Scorecard no longer crashes on GitLab repos with no commits (#3731, @ashearin)
    • 🐛 Fixed a bug which prevented Scorecard from analyzing some self-hosted GitLab repos. (#3819, @spencerschrock)

  • Local Directory

Other

Breaking Changes

Docs

New Contributors

Full Changelog: https://github.com/ossf/scorecard/compare/v4.13.1...v5.0.0-rc1

scorecard - v4.13.1

Published by spencerschrock 12 months ago

What's Changed

New

Bug Fixes

Docs

New Contributors

Full Changelog: https://github.com/ossf/scorecard/compare/v4.13.0...v4.13.1

scorecard - v4.13.0

Published by spencerschrock about 1 year ago

What's Changed

New

Bug Fixes

Docs

New Contributors

Full Changelog: https://github.com/ossf/scorecard/compare/v4.12.0...v4.13.0

scorecard - v4.12.0

Published by raghavkaul about 1 year ago

This version of Scorecard supports GitLab repos by default.

This release also adds preliminary support for the scdiff command which can be used to compare changes in Scorecard scores for a repository between versions of Scorecard, as well as probe support for the Security-Policy check.

Finally, this release fixes scoring issues in the Branch-Protection and Pinned-Dependencies checks.

What's Changed

WIP

  • ✨ GitLab: Release by @raghavkaul in #3340
  • ✨ [experimental] Probe support for security policy check by @laurentsimon in #3241

Bug Fixes

  • 🐛 Fix Branch-Protection scoring by @gabibguti in #3251
  • 🐛 Forgive job-level permissions by @pnacht in #3162
  • 🐛 Add npm installs to Pinned-Dependencies score by @gabibguti in #2960

Docs

  • 📖 Add release process by @spencerschrock in #3322
  • 📖 Update GitHub documentation links by @martincostello in #3318
  • 📖 Fixed slack badge on README by @eddie-knight in #3311
  • 📖 update docs for webhooks documentation by @leec94 in #3299
  • 📖 Add contributor ladder by @pnacht in #3246
  • 📖 Suggest new score viewer on badge documentation by @diogoteles08 in #3268
  • 📖 Update Branch-Protection admin and non-admin requirements by @gabibguti, @pnacht in #2772

New Contributors

Full Changelog: https://github.com/ossf/scorecard/compare/v4.11.0...v4.12.0

scorecard - v4.11.0

Published by spencerschrock over 1 year ago

What's Changed

New

Bug Fixes

Deprecations

GitLab support (WIP)

Docs

New Contributors

Full Changelog: https://github.com/ossf/scorecard/compare/v4.10.5...v4.11.0

scorecard - v4.10.5

Published by github-actions[bot] over 1 year ago

Changelog

Bug fixes

  • Fixed a bug which resulted in increased API usage when running the SAST check with a Personal Access Token

GitLab support (WIP)

Full Changelog: https://github.com/ossf/scorecard/compare/v4.10.4...v4.10.5

Thanks for all contributors!

scorecard - v4.10.4

Published by github-actions[bot] over 1 year ago

Changelog

  • 9831629 Increase recordings, switch API, and lower tolerance (#2760)
  • 8966abd Initial implementation of go-git client (#2720)
  • 603263c 🐛 Fix typo in CITests runtime errors causing duplicate Code-Review checks. (#2756)
  • c20ed9e 🌱 Update .github/workflows/goreleaser.yaml (#2755)
  • 0b45c90 🌱 Bump step-security/harden-runner from 2.2.0 to 2.2.1 (#2753)
  • 23bd295 🌱 Bump github/codeql-action from 2.2.4 to 2.2.6 (#2741)
  • fc026ef 🌱 Bump github.com/google/ko from 0.12.0 to 0.13.0 in /tools (#2742)
  • 2e04214 🌱 Bump tj-actions/changed-files from 35.6.2 to 35.7.0
  • e36b590 🌱 Bump actions/cache from 3.3.0 to 3.3.1 (#2740)
  • 6ff94eb 🐛 Handle editable pip installs (#2731)
  • 110e352 ✨ Gitlab support: RepoClient (#2655)
  • 5625dda 🌱 Bump github.com/onsi/ginkgo/v2 from 2.8.3 to 2.9.0 in /tools
  • d591e38 🌱 Add RepoClient re-use E2E tests. (#2625)
  • a7e81bb 🌱 Bump actions/cache from 3.2.6 to 3.3.0 (#2738)
  • b5254fe 🌱 Bump tj-actions/changed-files from 35.6.1 to 35.6.2 (#2736)
  • 2e6347f 🌱 Bump github.com/moby/buildkit from 0.10.3 to 0.11.4 (#2735)
  • 170af75 🐛 Updates osv-scanner dependency to 1.2.0. (#2704)
  • 5f13a66 Atomically load from accessState to avoid data race. (#2732)
  • 0c090b3 🌱 Updated the coverage for tests (#2728)
  • 0169c37 🌱 Setup cron for running as GitHub App (#2721)
  • d708c6c 🌱 Bump tj-actions/changed-files from 35.5.4 to 35.6.1
  • fb12a39 🌱 Bump github.com/google/ko in /tools
  • 0bed3da 🌱 Bump github.com/jszwec/csvutil from 1.7.1 to 1.8.0 (#2698)
  • 61866a0 🐛 Check OSS Fuzz build file for Fuzzing check (#2719)
  • c06ac74 🌱 Removed failing tests (#2718)
  • b8bc65f Add projects to cronjob (#2716)
  • def5ead 📖 update bigquery docs in README (#2714)
  • 36faeac Consider 'src/test' test directories (#2706)
  • 846fb19 Refactor githubrepo CheckRun logic (#2710)
  • 82a122b 🌱 Bump sigstore/cosign-installer from 2.8.1 to 3.0.1
  • c4bd0c5 ⚠️ Update date formats and fields to RFC3339 (#2712)
  • 8add330 📖 Fix links. (#2703)
  • 35a7dd5 🌱 Bump kubernetes-sigs/kubebuilder-release-tools
  • c7e362d 🌱 Bump step-security/harden-runner from 2.1.0 to 2.2.0
  • be8a437 🌱 Bump github.com/onsi/ginkgo/v2 from 2.8.1 to 2.8.3 in /tools (#2694)
  • 034add1 🌱 Bump k8s.io/client-go from 0.18.8 to 0.20.0
  • feb267a 🌱 Bump golang.org/x/net from 0.6.0 to 0.7.0 in /tools
  • 78069d8 Consider ko-build/setup-ko as a packaging workflow (#2692)
  • db6a26e 🌱 Bump actions/cache from 3.2.3 to 3.2.6
  • 24b779f 🌱 Bump mvdan.cc/sh/v3 from 3.5.1 to 3.6.0 (#2615)
  • 48813a3 🌱 Bump golang.org/x/net from 0.5.0 to 0.7.0 (#2680)
  • d334409 Add Azure Devops as valid CI system (#2662)
  • 047c014 🌱 Bump github/codeql-action from 2.2.3 to 2.2.4 (#2676)
  • 5e6a521 🌱 Update deps for fixing GHSA-r48q-9g5r-8q2h (#2675)
  • adb1ce3 🌱 add new github.com/intel repos (#2673)
  • 603cd92 🌱 Bump github.com/onsi/ginkgo/v2 from 2.7.0 to 2.8.1 in /tools (#2660)
  • 559b71b Invite @raghavkaul as maintainer (#2663)
  • 353e2c6 🌱 Bump tj-actions/changed-files from 35.5.0 to 35.5.4 (#2674)
  • c9f582b Limit integration tests to ones that work with the GITHUB_TOKEN. (#2672)
  • 7876a13 🌱 Temporarily skip OSS-Fuzz e2e test. (#2671)
  • 93900ac 🌱 Bump github/codeql-action from 2.2.0 to 2.2.3 (#2649)
  • 8115756 🌱 Bump peter-evans/find-comment from 2.1.0 to 2.2.1 (#2641)
  • ee8dd5d Image build pipeline (#2613)
  • d331f8e Fix typo (add s to ') (#2638)
  • ac008ec 🌱 Bump tj-actions/changed-files from 35.4.4 to 35.5.0 (#2635)
  • 0f33c37 📖 Update docs on how to run and debug locally (#2587)
  • 2ea140a ✨ Structured results for permissions (#2584)
  • 4ebe521 🌱 Bump github/codeql-action from 2.1.39 to 2.2.0 (#2618)
  • 1c6ab16 🌱 Bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.2 (#2600)
  • e6a900d Handle Docker URLs for GitHub actions workflows (#2594)
  • 3f372e9 🌱 Bump tj-actions/changed-files from 35.4.1 to 35.4.4
  • 99398db 🌱 Bump github/codeql-action from 2.1.38 to 2.1.39 (#2607)
  • 9385905 Revert "perf.: run integration tests only on approved PRs (#2609)" (#2612)
  • f25d010 🌱 Bump github.com/google/addlicense in /tools (#2608)
  • a29182d perf.: run integration tests only on approved PRs (#2609)
  • 6112c07 🌱 Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#2539)
  • f1ca6d7 🌱 Bump actions/cache from 3.0.11 to 3.2.3 (#2599)
  • 9c49fbf 🌱 Bump step-security/harden-runner from 2.0.0 to 2.1.0 (#2604)
  • 1b5bdb4 🌱 Bump actions/upload-artifact from 3.1.1 to 3.1.2 (#2601)
  • 67daacc 🌱 Bump tj-actions/changed-files from 35.2.0 to 35.4.1 (#2598)
  • fc299e3 🌱 Bump actions/dependency-review-action from 3.0.2 to 3.0.3 (#2585)
  • 2704fc5 🌱 Bump github.com/xanzy/go-gitlab from 0.77.0 to 0.78.0 (#2591)
  • 4a9c774 🌱 Bump github/codeql-action from 2.1.36 to 2.1.38 (#2597)
  • 811bf75 Add correct contact to CODE_OF_CONDUCT.md (#2508)
  • 47be523 🐛 Retain tag when remediating unpinned docker images. (#2595)
  • b30bc79 🌱 Bump golang.org/x/tools from 0.4.0 to 0.5.0 (#2592)
  • 3e4dca5 🌱 Bump github.com/goreleaser/goreleaser in /tools (#2586)
  • 75adffe 🌱 Bump github.com/onsi/gomega from 1.24.1 to 1.24.2 (#2562)
  • 63ffde8 🌱 Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.7.0 (#2590)
  • bf516e1 🐛 Use leveled scoring for Code Review check (#2542)
  • ed9576c Update name of Branch Protection Rule (#2589)
  • 6ded57e 🌱 Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.7.0 in /tools (#2588)
  • 78d0903 🌱 Bump github.com/goreleaser/goreleaser in /tools (#2573)
  • be695d1 🐛 Add wasm files as binary artifacts (#2548)
  • a2bc29a 🌱 Bump actions/checkout from 3.2.0 to 3.3.0 (#2583)
  • 1d15e9c classic personal access tokens required (#2565)
  • 7c0edac 🌱 Bump nick-invision/retry from 2.8.2 to 2.8.3 (#2576)
  • 6ff06a3 🌱 Bump actions/setup-go from 3.3.1 to 3.5.0 (#2575)
  • 72d4e98 🌱 Bump tj-actions/changed-files from 35.1.0 to 35.2.0 (#2574)
  • cf3a43f 🌱 Bump ossf/scorecard-action from 2.1.1 to 2.1.2 (#2570)
  • 4d5cbb4 🐛 Fix Renovate bot typo (#2569)
  • 90cdd98 Disable scorecard on PRs (#2571)
  • 6bf19d5 🌱 Switch from paths-ignore to changed-files action to skip required checks. (#2566)
  • c6d7680 🌱 Bump github.com/xanzy/go-gitlab from 0.76.0 to 0.77.0 (#2563)
  • 7e64b36 🌱 Bump golang.org/x/tools from 0.3.0 to 0.4.0 (#2525)

Thanks for all contributors!

scorecard - v4.10.3

Published by github-actions[bot] over 1 year ago

Changelog

  • 9ad9757 Increase recordings, switch API, and lower tolerance
  • 8966abd Initial implementation of go-git client (#2720)
  • 603263c 🐛 Fix typo in CITests runtime errors causing duplicate Code-Review checks. (#2756)
  • c20ed9e 🌱 Update .github/workflows/goreleaser.yaml (#2755)
  • 0b45c90 🌱 Bump step-security/harden-runner from 2.2.0 to 2.2.1 (#2753)
  • 23bd295 🌱 Bump github/codeql-action from 2.2.4 to 2.2.6 (#2741)
  • fc026ef 🌱 Bump github.com/google/ko from 0.12.0 to 0.13.0 in /tools (#2742)
  • 2e04214 🌱 Bump tj-actions/changed-files from 35.6.2 to 35.7.0
  • e36b590 🌱 Bump actions/cache from 3.3.0 to 3.3.1 (#2740)
  • 6ff94eb 🐛 Handle editable pip installs (#2731)
  • 110e352 ✨ Gitlab support: RepoClient (#2655)
  • 5625dda 🌱 Bump github.com/onsi/ginkgo/v2 from 2.8.3 to 2.9.0 in /tools
  • d591e38 🌱 Add RepoClient re-use E2E tests. (#2625)
  • a7e81bb 🌱 Bump actions/cache from 3.2.6 to 3.3.0 (#2738)
  • b5254fe 🌱 Bump tj-actions/changed-files from 35.6.1 to 35.6.2 (#2736)
  • 2e6347f 🌱 Bump github.com/moby/buildkit from 0.10.3 to 0.11.4 (#2735)
  • 170af75 🐛 Updates osv-scanner dependency to 1.2.0. (#2704)
  • 5f13a66 Atomically load from accessState to avoid data race. (#2732)
  • 0c090b3 🌱 Updated the coverage for tests (#2728)
  • 0169c37 🌱 Setup cron for running as GitHub App (#2721)
  • d708c6c 🌱 Bump tj-actions/changed-files from 35.5.4 to 35.6.1
  • fb12a39 🌱 Bump github.com/google/ko in /tools
  • 0bed3da 🌱 Bump github.com/jszwec/csvutil from 1.7.1 to 1.8.0 (#2698)
  • 61866a0 🐛 Check OSS Fuzz build file for Fuzzing check (#2719)
  • c06ac74 🌱 Removed failing tests (#2718)
  • b8bc65f Add projects to cronjob (#2716)
  • def5ead 📖 update bigquery docs in README (#2714)
  • 36faeac Consider 'src/test' test directories (#2706)
  • 846fb19 Refactor githubrepo CheckRun logic (#2710)
  • 82a122b 🌱 Bump sigstore/cosign-installer from 2.8.1 to 3.0.1
  • c4bd0c5 ⚠️ Update date formats and fields to RFC3339 (#2712)
  • 8add330 📖 Fix links. (#2703)
  • 35a7dd5 🌱 Bump kubernetes-sigs/kubebuilder-release-tools
  • c7e362d 🌱 Bump step-security/harden-runner from 2.1.0 to 2.2.0
  • be8a437 🌱 Bump github.com/onsi/ginkgo/v2 from 2.8.1 to 2.8.3 in /tools (#2694)
  • 034add1 🌱 Bump k8s.io/client-go from 0.18.8 to 0.20.0
  • feb267a 🌱 Bump golang.org/x/net from 0.6.0 to 0.7.0 in /tools
  • 78069d8 Consider ko-build/setup-ko as a packaging workflow (#2692)
  • db6a26e 🌱 Bump actions/cache from 3.2.3 to 3.2.6
  • 24b779f 🌱 Bump mvdan.cc/sh/v3 from 3.5.1 to 3.6.0 (#2615)
  • 48813a3 🌱 Bump golang.org/x/net from 0.5.0 to 0.7.0 (#2680)
  • d334409 Add Azure Devops as valid CI system (#2662)
  • 047c014 🌱 Bump github/codeql-action from 2.2.3 to 2.2.4 (#2676)
  • 5e6a521 🌱 Update deps for fixing GHSA-r48q-9g5r-8q2h (#2675)
  • adb1ce3 🌱 add new github.com/intel repos (#2673)
  • 603cd92 🌱 Bump github.com/onsi/ginkgo/v2 from 2.7.0 to 2.8.1 in /tools (#2660)
  • 559b71b Invite @raghavkaul as maintainer (#2663)
  • 353e2c6 🌱 Bump tj-actions/changed-files from 35.5.0 to 35.5.4 (#2674)
  • c9f582b Limit integration tests to ones that work with the GITHUB_TOKEN. (#2672)
  • 7876a13 🌱 Temporarily skip OSS-Fuzz e2e test. (#2671)
  • 93900ac 🌱 Bump github/codeql-action from 2.2.0 to 2.2.3 (#2649)
  • 8115756 🌱 Bump peter-evans/find-comment from 2.1.0 to 2.2.1 (#2641)
  • ee8dd5d Image build pipeline (#2613)
  • d331f8e Fix typo (add s to ') (#2638)
  • ac008ec 🌱 Bump tj-actions/changed-files from 35.4.4 to 35.5.0 (#2635)
  • 0f33c37 📖 Update docs on how to run and debug locally (#2587)
  • 2ea140a ✨ Structured results for permissions (#2584)
  • 4ebe521 🌱 Bump github/codeql-action from 2.1.39 to 2.2.0 (#2618)
  • 1c6ab16 🌱 Bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.2 (#2600)
  • e6a900d Handle Docker URLs for GitHub actions workflows (#2594)
  • 3f372e9 🌱 Bump tj-actions/changed-files from 35.4.1 to 35.4.4
  • 99398db 🌱 Bump github/codeql-action from 2.1.38 to 2.1.39 (#2607)
  • 9385905 Revert "perf.: run integration tests only on approved PRs (#2609)" (#2612)
  • f25d010 🌱 Bump github.com/google/addlicense in /tools (#2608)
  • a29182d perf.: run integration tests only on approved PRs (#2609)
  • 6112c07 🌱 Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#2539)
  • f1ca6d7 🌱 Bump actions/cache from 3.0.11 to 3.2.3 (#2599)
  • 9c49fbf 🌱 Bump step-security/harden-runner from 2.0.0 to 2.1.0 (#2604)
  • 1b5bdb4 🌱 Bump actions/upload-artifact from 3.1.1 to 3.1.2 (#2601)
  • 67daacc 🌱 Bump tj-actions/changed-files from 35.2.0 to 35.4.1 (#2598)
  • fc299e3 🌱 Bump actions/dependency-review-action from 3.0.2 to 3.0.3 (#2585)
  • 2704fc5 🌱 Bump github.com/xanzy/go-gitlab from 0.77.0 to 0.78.0 (#2591)
  • 4a9c774 🌱 Bump github/codeql-action from 2.1.36 to 2.1.38 (#2597)
  • 811bf75 Add correct contact to CODE_OF_CONDUCT.md (#2508)
  • 47be523 🐛 Retain tag when remediating unpinned docker images. (#2595)
  • b30bc79 🌱 Bump golang.org/x/tools from 0.4.0 to 0.5.0 (#2592)
  • 3e4dca5 🌱 Bump github.com/goreleaser/goreleaser in /tools (#2586)
  • 75adffe 🌱 Bump github.com/onsi/gomega from 1.24.1 to 1.24.2 (#2562)
  • 63ffde8 🌱 Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.7.0 (#2590)
  • bf516e1 🐛 Use leveled scoring for Code Review check (#2542)
  • ed9576c Update name of Branch Protection Rule (#2589)
  • 6ded57e 🌱 Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.7.0 in /tools (#2588)
  • 78d0903 🌱 Bump github.com/goreleaser/goreleaser in /tools (#2573)
  • be695d1 🐛 Add wasm files as binary artifacts (#2548)
  • a2bc29a 🌱 Bump actions/checkout from 3.2.0 to 3.3.0 (#2583)
  • 1d15e9c classic personal access tokens required (#2565)
  • 7c0edac 🌱 Bump nick-invision/retry from 2.8.2 to 2.8.3 (#2576)
  • 6ff06a3 🌱 Bump actions/setup-go from 3.3.1 to 3.5.0 (#2575)
  • 72d4e98 🌱 Bump tj-actions/changed-files from 35.1.0 to 35.2.0 (#2574)
  • cf3a43f 🌱 Bump ossf/scorecard-action from 2.1.1 to 2.1.2 (#2570)
  • 4d5cbb4 🐛 Fix Renovate bot typo (#2569)
  • 90cdd98 Disable scorecard on PRs (#2571)
  • 6bf19d5 🌱 Switch from paths-ignore to changed-files action to skip required checks. (#2566)
  • c6d7680 🌱 Bump github.com/xanzy/go-gitlab from 0.76.0 to 0.77.0 (#2563)
  • 7e64b36 🌱 Bump golang.org/x/tools from 0.3.0 to 0.4.0 (#2525)

Thanks for all contributors!

scorecard - v4.10.2

Published by spencerschrock almost 2 years ago

What's Changed

Bug fixes

New Contributors

Full Changelog: https://github.com/ossf/scorecard/compare/v4.10.1...v4.10.2

scorecard - v4.10.1

Published by github-actions[bot] almost 2 years ago

Changelog

  • 6c5d964 🐛 Fix broken go mod download check (#2550)
  • a71b47e ✨ Add support for RequiresLastPushReview in Branch Protection for GitHub (#2492)
  • 746b6e9 🐛 Ensure CODEOWNERS file exists for corresponding Branch-Protection check (#2463)

Thanks for all contributors!

scorecard - v4.9.1

Published by github-actions[bot] almost 2 years ago

Changelog

  • 6c5d964 🐛 Fix broken go mod download check (#2550)
  • a71b47e ✨ Add support for RequiresLastPushReview in Branch Protection for GitHub (#2492)
  • 746b6e9 🐛 Ensure CODEOWNERS file exists for corresponding Branch-Protection check (#2463)

Thanks for all contributors!

scorecard - v4.10.0

Published by laurentsimon almost 2 years ago

What's Changed

Check improvements

Cron improvements

CLI

Documentation

BinAuthZ support (WIP)

GitLab support (WIP)

New Contributors

Full Changelog: https://github.com/ossf/scorecard/compare/v4.8.0...v4.10.0

scorecard - v4.9.0

Published by laurentsimon almost 2 years ago

What's Changed

Check improvements

Cron improvements

CLI

Documentation

BinAuthZ support (WIP)

GitLab support (WIP)

New Contributors

Full Changelog: https://github.com/ossf/scorecard/compare/v4.8.0...v4.9.0

scorecard - v4.8.0

Published by github-actions[bot] about 2 years ago

Changelog

  • c408592 Adjusted to max score with warning if job content are set to write (#2355)
  • 78c7e83 🌱 Bump golang.org/x/text from 0.3.7 to 0.3.8 (#2358)
  • b12b093 README formatting fix (#2356)
  • 36d6a34 Note that LGTM service is deprecated. (#2339)
  • 7f214bf 🌱 Bump actions/dependency-review-action from 2.4.0 to 2.4.1 (#2345)
  • 3eab4dd 📖 Clarifications about the pinned dependencies check (#2319)
  • 9b9006e Return unknown commit SHA for local repos. (#2342)
  • 83db8ba 🌱 Bump github/codeql-action from 2.1.26 to 2.1.27 (#2336)
  • 2b8ced3 🌱 Fixup: list GitHub check runs of MergeRequest.HeadSHA instead of Commit.SHA (#2333)
  • 53e9246 🌱 Migrate to go 1.19 (#2332)
  • 4e85d07 🌱 Bump github.com/goreleaser/goreleaser in /tools
  • 7992368 Remove line continuations in all run steps. (#2335)
  • 4b99a3a 📖 Create the Frequently Asked Questions Document (#2327)
  • ae75d43 🌱 Bump github.com/golangci/golangci-lint in /tools (#2331)
  • b4d97f9 🌱 Bump actions/checkout from 3.0.2 to 3.1.0 (#2324)
  • 2c16c8f 🌱 Bump actions/cache from 3.0.8 to 3.0.10 (#2322)
  • b491f40 🌱 Bump github/codeql-action from 2.1.24 to 2.1.26
  • 9b4a675 🌱 Bump step-security/harden-runner from 1.4.5 to 1.5.0 (#2316)
  • 29893ae 🌱 Split CI-Tests check into a raw and evaluation section (#2291)
  • 347c2a8 Add tests for getBucketSummary. (#2310)
  • ac55bf4 🐛 Prevent partial cron transfers caused by controller failures (#2308)
  • 01b69d2 Fix scoring issue with Code Review check (#2292)
  • 4693747 🌱 Bump sigstore/cosign-installer from 2.6.0 to 2.7.0 (#2300)
  • 37d873d 🌱 Bump actions/dependency-review-action from 2.2.0 to 2.4.0
  • d4b44e5 🌱 Remove check-osv (#2303)
  • c3a7921 fix arg typo (#2304)
  • a694cc9 Fix k8s yaml errors and document how to prevent them. (#2298)

Thanks for all contributors!

scorecard - v4.7.0

Published by github-actions[bot] about 2 years ago

Changelog

  • 7cd6406 Reduce build target radius (#2293)
  • a7a503a 🌱 cron: pass config as an argument to binaries (4/n) (#2279)
  • 97df43b 🌱 Reduce the number of PR's opened by dependabot (#2297)
  • 88e5ff7 Improve API limiting and cache (#2294)
  • f017e2e Fix typo which was causing index out of range panics (#2284)
  • 08c2ee5 Modify tool installation (#2288)
  • 0f87094 ✨ Gitlab support (#2265)
  • a6983ed Fix failing linters (#2281)
  • 7c24934 🌱 Fix cosign vulnerability (#2283)
  • a298132 🌱 Bump actions/dependency-review-action from 2.1.0 to 2.2.0 (#2282)
  • 9a9a1cb 🐛 Add fix for issue2277 (#2278)
  • d75dea8 🌱 Feature: Group commits into changesets (#2260)
  • 3629fd8 🌱 Bump github/codeql-action from 2.1.22 to 2.1.24
  • 9f67c4e 🌱 Invite @spencerschrock as maintainer (#2269)
  • 482a59e 🌱 Tests: Fix data race failures (#2262)
  • 2231d1f 🌱 cron: make CSV header optional (3/n) (#2261)
  • bde0ae1 🌱 cron: generalize config and create optional values for scorecard and criticality (2/n) (#2254)
  • 9e269b8 🌱 Feature: Add scorecard attestation policy module (#2240)
  • d6bef98 Wrap check errors with distinct error for scorecard-action to ignore. (#2250)
  • 856d2dd 🌱 Bump sigstore/cosign-installer from 2.5.1 to 2.6.0 (#2253)
  • d76ff0d ✨ setup-python not required by pypa/gh-action-pypi-publish (#2206)
  • 11657e4 📖 Remove trailing whitespace (#2241)
  • da785a2 Rename CII->OpenSSF Best Practices badge (#2239)
  • c665f27 🌱 cron: allow controller to read CSVs from cloud storage (1/n) (#2235)
  • 7c66ae8 🌱 Bump imjasonh/setup-ko from 0.5 to 0.6 (#2231)
  • ec15af5 🌱 Bump github/codeql-action from 2.1.21 to 2.1.22 (#2227)
  • dac68a4 🌱 Bump github.com/onsi/gomega from 1.20.1 to 1.20.2 (#2225)
  • bc5a1d6 Enable SAST check in cron by default (#2223)
  • f345807 Detect pyup as an automated dependency update tool (#2226)
  • d13ba3f 📖 Update instructions and other fixes in README (#2212)
  • 7a2c403 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.4 to 2.1.6 (#2220)
  • 3337b6c 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.4 to 2.1.6 in /tools (#2221)
  • 758cc39 Add k8s README (#2219)
  • 5ac9f39 🌱 Fix for empty repository (#2207)
  • 33ab335 🌱 Bump github.com/onsi/gomega from 1.20.0 to 1.20.1
  • 621449f ✨ Add CODEOWNERS branch protection check (#2057)
  • 6fc08e7 Allow contents: write for Token-Permissions when doing mvn release (#2202)
  • a8e9050 ✨ Optimize SAST check (#2191)
  • 11ff78e Deduplicate projects by excluding URL fragments (#2201)
  • b40efd2 🌱 Bump cloud.google.com/go/bigquery from 1.38.0 to 1.39.0
  • 9460030 Make the Scalable Scorecards document public. (#2199)
  • fb630a8 🌱 Bump github/codeql-action from 2.1.20 to 2.1.21 (#2200)
  • 64daafb 🌱 Bump cloud.google.com/go/pubsub from 1.24.0 to 1.25.1 (#2197)
  • 32d6ba2 🌱 Bump actions/setup-go from 3.2.1 to 3.3.0 (#2194)
  • 8b3793a 🌱 Bump github/codeql-action from 2.1.19 to 2.1.20 (#2187)
  • 86aa297 🌱 Bump github.com/caarlos0/env/v6 from 6.9.3 to 6.10.0 (#2188)
  • e2813b8 🌱 Bump actions/cache from 3.0.7 to 3.0.8 (#2184)
  • a4d2c01 🌱 Bump distroless/base from 49d2923 to 533c15e (#2185)
  • af2ee3d 🌱 Bump github/codeql-action from 1.0.0 to 2.1.19 (#2178)
  • 77fa781 Check for security polices in RST format at toplevel and .github as well. (#2180)
  • 2920b32 ✨ Improved license check (#2179)
  • 25fd14d 🌱 Bump actions/dependency-review-action from 2.0.4 to 2.1.0 (#2176)
  • 4a15760 Don't error on workflow parse failure in Binary-Artifacts (#2170)

Thanks for all contributors!

scorecard - v4.6.0

Published by laurentsimon about 2 years ago

What's Changed

New Contributors

Full Changelog: https://github.com/ossf/scorecard/compare/v4.5.0...v4.6.0

scorecard - v4.5.0

Published by github-actions[bot] about 2 years ago

Changelog

  • 69eb1cc Fix a bug in cron API data exporting (#2112)
  • 89163cc 🌱 Bump google.golang.org/protobuf from 1.28.0 to 1.28.1
  • 6813ed1 🌱 Bump google.golang.org/protobuf in /tools (#2110)
  • 1e0e44a 🐛 Bug fixing: recurring results of the scorecard fuzzing check for go built-in fuzzers (#2101)
  • 8118e5d 🌱 Bump golang.org/x/tools from 0.1.11 to 0.1.12
  • 384c79d 🌱 Bump actions/stale from 5.1.0 to 5.1.1 (#2106)
  • 5fa7596 Scorecard runs fail with any unrecognized steps (#2103)
  • d7cb711 Fix bug in Scorecard analysis CI (#2099)
  • c581062 Enable Scorecard badge (#2097)
  • 4f30e02 🌱 Bump sigstore/cosign-installer from 2.4.1 to 2.5.0
  • baedf84 🌱 Bump imjasonh/setup-ko from 0.4 to 0.5 (#2096)
  • 93a0206 📖 Minor typos and copy-editing to checks/write.md (#2071)
  • 66708ba ✨ Feature: Dependency-diff ecosystem naming convention mapping (GitHub -> OSV) (#2088)
  • 8f96d6b 🌱 Bump crazy-max/ghaction-import-gpg from 5.0.0 to 5.1.0 (#2091)
  • d77f59f 🌱 Bump sigstore/cosign-installer from 1.2.1 to 2.4.1 (#2021)
  • b945eb3 🌱 Bump cloud.google.com/go/bigquery from 1.35.0 to 1.36.0
  • 96835aa 🌱 Bump actions/stale from 5.0.0 to 5.1.0
  • 1e3f325 🌱 Bump cloud.google.com/go/pubsub from 1.23.1 to 1.24.0
  • e23ee84 ✨ Export Scorecards results for API (#2081)
  • 30e3f64 ✨ Feature: Dependency-diff API optimize: var re-naming, removing unused JSON tags (#2090)
  • 0e4f5db remove not used workflow (#2089)
  • 7737dbd 🌱 Bump github.com/google/go-containerregistry
  • c15a2e6 🌱 Bump github.com/onsi/gomega from 1.19.0 to 1.20.0
  • 7c91203 🌱 Naveen Company updated. (#2082)
  • 096cbd0 ✨ Use crane to add hash suggestion to unpinned Docker images (#2037)
  • a905d66 fix: invalid documentation link (#2073)
  • 4bd1692 🐛 Bug fixing: Using the wrong URI to initialize the repo in Dependencydiff (#2072)
  • 10681da ✨ Feature DependencyDiff (Version 0 Part 2) (#2046)
  • dd8fbc0 ✨ Binary artifact exception for gradle-wrapper.jar when using validation action (#2039)
  • f1b182a 🌱 Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (#1998)
  • 4394ac9 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2
  • 59c06f0 🌱 Bump ossf/scorecard-action from 1.1.0 to 1.1.2
  • a3de23c 🌱 Bump github.com/google/go-containerregistry (#2003)
  • 7c9bb1c 🌱 Bump distroless/base from d65ac1a to e672eb7 (#1994)
  • 838f62f ✨ Add raw results for Token-Permissions (#1912)
  • 2b8c7b4 🌱 Bump github.com/jszwec/csvutil from 1.7.0 to 1.7.1 (#2013)
  • e1c3ab0 🌱 Bump cloud.google.com/go/bigquery from 1.34.1 to 1.35.0 (#2034)
  • 4ff5b2b 🌱 Bump actions/cache from 3.0.4 to 3.0.5 (#2049)
  • 287ee7d 🌱 Bump actions/dependency-review-action from 2.0.2 to 2.0.4 (#2054)
  • f61ed37 🌱 Adjust 'exhaustive' linter to consider 'default' as exhaustive (#2044)
  • 5d9d75b 🌱 Bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 (#2035)
  • 6b8cfb2 🌱 Bump golang.org/x/tools from 0.1.10 to 0.1.11 (#1993)
  • 220c49d 🌱 Bump actions/setup-go from 3.2.0 to 3.2.1 (#2040)
  • 63e40ae Add a number of new projects to scan. (#2043)
  • 0af8781 1 (#2031)
  • dd780a5 ✨ Feature DependencyDiff CLI (Version 0 Part 1) (#2030)
  • e608741 🌱 Bump step-security/harden-runner from 1.4.3 to 1.4.4
  • 90ed090 🌱 Build/test fixes: Install protoc and protoc-gen-go (#2038)
  • 9fecf63 🌱 Bump github.com/rhysd/actionlint from 1.6.13 to 1.6.15 (#2012)
  • 48291a3 Use the proper repo for lombok. (#2029)
  • f3e21fa 🌱 Bump actions/cache from 3.0.3 to 3.0.4 (#1988)
  • f1dfbcb 🌱 Bump actions/dependency-review-action from 1.0.2 to 2.0.2
  • 6a84f97 🌱 Bump cloud.google.com/go/bigquery from 1.32.0 to 1.34.1 (#2006)
  • bc12ba6 🌱 Workaround for Protoc failures in GH Actions (#2025)
  • 3430f78 small fixes (#2015)
  • e7faa8f Fix broken link (#2004)
  • 445d7ba Fix bug in docker run scorecard version (#1991)
  • 2fb4093 🌱 Bump cloud.google.com/go/pubsub from 1.21.1 to 1.23.1 (#2014)
  • 3957460 update (#2011)
  • 6a032a3 ✨ Check for Mach-O binaries in Binary Artifacts (#2000)

Thanks for all contributors!

scorecard - v4.4.0

Published by laurentsimon over 2 years ago

What's Changed

Full Changelog: https://github.com/ossf/scorecard/compare/v4.3.1...v4.4.0

scorecard - v4.3.1

Published by laurentsimon over 2 years ago

What's Changed

Fix https://github.com/ossf/scorecard-action/issues/323 via https://github.com/ossf/scorecard/pull/1947

New Contributors

Full Changelog: https://github.com/ossf/scorecard/compare/v4.3.0...v4.3.1

Package Rankings
Top 1.32% on Proxy.golang.org
Top 19.66% on Formulae.brew.sh
Badges
Extracted from project README
OpenSSF Scorecard OpenSSF Best Practices Go Reference Go Report Card codecov SLSA 3 Slack Stargazers over time
Related Projects
syft

CLI tool and library for generating a Software Bill of Materials from container images and filesy...

07 May 2020 5,408
criticality_score

Gives criticality score for an open source project

17 Nov 2020 1,287
guac

GUAC aggregates software security metadata into a high fidelity graph database.

10 Jun 2022 1,166