Releases: ossf/scorecard
Releases · ossf/scorecard
v4.10.1
v4.10.1
This tag was signed with the committer’s verified signature.
naveensrinivasan
Naveen
v4.9.1
v4.9.1
This tag was signed with the committer’s verified signature.
naveensrinivasan
Naveen
v4.10.0
What's Changed
Check improvements
- ✨ Removed job-level permissions check for actions and packages by @eddie-knight in #2367
- ✨ Add Sonatype Lift as a dependency update tool, doc upgrade by @theresa-m in #2328
⚠️ OSV scanner integration by @another-rex in #2509
Cron improvements
- 🌱 Add soft mem limit to controller k8s spec by @spencerschrock in #2362
- 🌱 cron: generalize and expose worker (6/n) by @spencerschrock in #2317
- 🐛 Fix typo which prevented cron metadata from going to BigQuery dataset by @spencerschrock in #2370
- 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents by @calebbrown in #2454
CLI
- ✨ Commit depth feature by @latortuga71 in #2407
Documentation
- 📖 Use scorecard (singular) consistently by @lehors in #2428
- 📖 Use new project name in Copyright notices by @lehors in #2505
- 📖 Fix copyright notices by @lehors in #2514
- 📖 Mention 2FA relevance although not checked by Scorecard by @joycebrum in #2528
- 📖 Clarify CII-Best-Practices score for each badge by @hugovk in #2313
BinAuthZ support (WIP)
- ✨ CLI for scorecard-attestor by @raghavkaul in #2309
- 🌱 Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor by @raghavkaul in
- 🌱 attestor: Dockerize + small improvements for Cloud Build usage by @raghavkaul in #2456
- 🌱 attestor: e2e tests by @raghavkaul in #2529
GitLab support (WIP)
New Contributors
- @theresa-m made their first contribution in #2328
- @dvbnrg made their first contribution in #2366
- @hugovk made their first contribution in #2313
- @gabibguti made their first contribution in #2384
- @shissam made their first contribution in #2195
- @favonia made their first contribution in #2447
- @latortuga71 made their first contribution in #2407
- @balhar-jakub made their first contribution in #2488
- @another-rex made their first contribution in #2509
Full Changelog: v4.8.0...v4.10.0
Contributors
calebbrown, hugovk, and 14 other contributors
Assets 11
v4.9.0
What's Changed
Check improvements
- ✨ Removed job-level permissions check for actions and packages by @eddie-knight in #2367
- ✨ Add Sonatype Lift as a dependency update tool, doc upgrade by @theresa-m in #2328
⚠️ OSV scanner integration by @another-rex in #2509
Cron improvements
- 🌱 Add soft mem limit to controller k8s spec by @spencerschrock in #2362
- 🌱 cron: generalize and expose worker (6/n) by @spencerschrock in #2317
- 🐛 Fix typo which prevented cron metadata from going to BigQuery dataset by @spencerschrock in #2370
- 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents by @calebbrown in #2454
CLI
- ✨ Commit depth feature by @latortuga71 in #2407
Documentation
- 📖 Use scorecard (singular) consistently by @lehors in #2428
- 📖 Use new project name in Copyright notices by @lehors in #2505
- 📖 Fix copyright notices by @lehors in #2514
- 📖 Mention 2FA relevance although not checked by Scorecard by @joycebrum in #2528
- 📖 Clarify CII-Best-Practices score for each badge by @hugovk in #2313
BinAuthZ support (WIP)
- ✨ CLI for scorecard-attestor by @raghavkaul in #2309
- 🌱 Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor by @raghavkaul in
- 🌱 attestor: Dockerize + small improvements for Cloud Build usage by @raghavkaul in #2456
- 🌱 attestor: e2e tests by @raghavkaul in #2529
GitLab support (WIP)
New Contributors
- @theresa-m made their first contribution in #2328
- @dvbnrg made their first contribution in #2366
- @hugovk made their first contribution in #2313
- @gabibguti made their first contribution in #2384
- @shissam made their first contribution in #2195
- @favonia made their first contribution in #2447
- @latortuga71 made their first contribution in #2407
- @balhar-jakub made their first contribution in #2488
- @another-rex made their first contribution in #2509
Full Changelog: v4.8.0...v4.9.0
Contributors
calebbrown, hugovk, and 14 other contributors
Assets 2
v4.8.0
v4.8.0
This tag was signed with the committer’s verified signature.
naveensrinivasan
Naveen
Changelog
- c408592 Adjusted to max score with warning if job content are set to write (#2355)
- 78c7e83 🌱 Bump golang.org/x/text from 0.3.7 to 0.3.8 (#2358)
- b12b093 README formatting fix (#2356)
- 36d6a34 Note that LGTM service is deprecated. (#2339)
- 7f214bf 🌱 Bump actions/dependency-review-action from 2.4.0 to 2.4.1 (#2345)
- 3eab4dd 📖 Clarifications about the pinned dependencies check (#2319)
- 9b9006e Return unknown commit SHA for local repos. (#2342)
- 83db8ba 🌱 Bump github/codeql-action from 2.1.26 to 2.1.27 (#2336)
- 2b8ced3 🌱 Fixup: list GitHub check runs of MergeRequest.HeadSHA instead of Commit.SHA (#2333)
- 53e9246 🌱 Migrate to go 1.19 (#2332)
- 4e85d07 🌱 Bump github.com/goreleaser/goreleaser in /tools
- 7992368 Remove line continuations in all run steps. (#2335)
- 4b99a3a 📖 Create the Frequently Asked Questions Document (#2327)
- ae75d43 🌱 Bump github.com/golangci/golangci-lint in /tools (#2331)
- b4d97f9 🌱 Bump actions/checkout from 3.0.2 to 3.1.0 (#2324)
- 2c16c8f 🌱 Bump actions/cache from 3.0.8 to 3.0.10 (#2322)
- b491f40 🌱 Bump github/codeql-action from 2.1.24 to 2.1.26
- 9b4a675 🌱 Bump step-security/harden-runner from 1.4.5 to 1.5.0 (#2316)
- 29893ae 🌱 Split CI-Tests check into a raw and evaluation section (#2291)
- 347c2a8 Add tests for getBucketSummary. (#2310)
- ac55bf4 🐛 Prevent partial cron transfers caused by controller failures (#2308)
- 01b69d2 Fix scoring issue with Code Review check (#2292)
- 4693747 🌱 Bump sigstore/cosign-installer from 2.6.0 to 2.7.0 (#2300)
- 37d873d 🌱 Bump actions/dependency-review-action from 2.2.0 to 2.4.0
- d4b44e5 🌱 Remove check-osv (#2303)
- c3a7921 fix arg typo (#2304)
- a694cc9 Fix k8s yaml errors and document how to prevent them. (#2298)
Thanks for all contributors!
v4.7.0
v4.7.0
This tag was signed with the committer’s verified signature.
naveensrinivasan
Naveen
Changelog
- 7cd6406 Reduce build target radius (#2293)
- a7a503a 🌱 cron: pass config as an argument to binaries (4/n) (#2279)
- 97df43b 🌱 Reduce the number of PR's opened by dependabot (#2297)
- 88e5ff7 Improve API limiting and cache (#2294)
- f017e2e Fix typo which was causing index out of range panics (#2284)
- 08c2ee5 Modify tool installation (#2288)
- 0f87094 ✨ Gitlab support (#2265)
- a6983ed Fix failing linters (#2281)
- 7c24934 🌱 Fix cosign vulnerability (#2283)
- a298132 🌱 Bump actions/dependency-review-action from 2.1.0 to 2.2.0 (#2282)
- 9a9a1cb 🐛 Add fix for issue2277 (#2278)
- d75dea8 🌱 Feature: Group commits into changesets (#2260)
- 3629fd8 🌱 Bump github/codeql-action from 2.1.22 to 2.1.24
- 9f67c4e 🌱 Invite @spencerschrock as maintainer (#2269)
- 482a59e 🌱 Tests: Fix data race failures (#2262)
- 2231d1f 🌱 cron: make CSV header optional (3/n) (#2261)
- bde0ae1 🌱 cron: generalize config and create optional values for scorecard and criticality (2/n) (#2254)
- 9e269b8 🌱 Feature: Add scorecard attestation policy module (#2240)
- d6bef98 Wrap check errors with distinct error for scorecard-action to ignore. (#2250)
- 856d2dd 🌱 Bump sigstore/cosign-installer from 2.5.1 to 2.6.0 (#2253)
- d76ff0d ✨ setup-python not required by pypa/gh-action-pypi-publish (#2206)
- 11657e4 📖 Remove trailing whitespace (#2241)
- da785a2 Rename CII->OpenSSF Best Practices badge (#2239)
- c665f27 🌱 cron: allow controller to read CSVs from cloud storage (1/n) (#2235)
- 7c66ae8 🌱 Bump imjasonh/setup-ko from 0.5 to 0.6 (#2231)
- ec15af5 🌱 Bump github/codeql-action from 2.1.21 to 2.1.22 (#2227)
- dac68a4 🌱 Bump github.com/onsi/gomega from 1.20.1 to 1.20.2 (#2225)
- bc5a1d6 Enable SAST check in cron by default (#2223)
- f345807 Detect pyup as an automated dependency update tool (#2226)
- d13ba3f 📖 Update instructions and other fixes in README (#2212)
- 7a2c403 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.4 to 2.1.6 (#2220)
- 3337b6c 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.4 to 2.1.6 in /tools (#2221)
- 758cc39 Add k8s README (#2219)
- 5ac9f39 🌱 Fix for empty repository (#2207)
- 33ab335 🌱 Bump github.com/onsi/gomega from 1.20.0 to 1.20.1
- 621449f ✨ Add CODEOWNERS branch protection check (#2057)
- 6fc08e7 Allow contents: write for Token-Permissions when doing mvn release (#2202)
- a8e9050 ✨ Optimize SAST check (#2191)
- 11ff78e Deduplicate projects by excluding URL fragments (#2201)
- b40efd2 🌱 Bump cloud.google.com/go/bigquery from 1.38.0 to 1.39.0
- 9460030 Make the Scalable Scorecards document public. (#2199)
- fb630a8 🌱 Bump github/codeql-action from 2.1.20 to 2.1.21 (#2200)
- 64daafb 🌱 Bump cloud.google.com/go/pubsub from 1.24.0 to 1.25.1 (#2197)
- 32d6ba2 🌱 Bump actions/setup-go from 3.2.1 to 3.3.0 (#2194)
- 8b3793a 🌱 Bump github/codeql-action from 2.1.19 to 2.1.20 (#2187)
- 86aa297 🌱 Bump github.com/caarlos0/env/v6 from 6.9.3 to 6.10.0 (#2188)
- e2813b8 🌱 Bump actions/cache from 3.0.7 to 3.0.8 (#2184)
- a4d2c01 🌱 Bump distroless/base from
49d2923to533c15e(#2185) - af2ee3d 🌱 Bump github/codeql-action from 1.0.0 to 2.1.19 (#2178)
- 77fa781 Check for security polices in RST format at toplevel and .github as well. (#2180)
- 2920b32 ✨ Improved license check (#2179)
- 25fd14d 🌱 Bump actions/dependency-review-action from 2.0.4 to 2.1.0 (#2176)
- 4a15760 Don't error on workflow parse failure in Binary-Artifacts (#2170)
Thanks for all contributors!
Contributors
spencerschrock
Assets 15
v4.6.0
What's Changed
- ✨ Enhancement: adding new entries for GH actions & Pub as ecosystems, typo fixes by @aidenwang9867 in #2109
- feat: Add pom.xml support for sonarype SAST by @laurentsimon in #2114
- ✨ Enhancement: Dependency-diff API optimization - changing the input param changeType from a map to an array by @aidenwang9867 in #2111
- 🌱 Bump gocloud.dev from 0.25.0 to 0.26.0 by @dependabot in #2121
- 🌱 Bump nick-invision/retry from 2.6.0 to 2.8.0 by @dependabot in #2122
- 📖 Include an example query for the public BigQuery dataset by @spencerschrock in #2123
- 🌱 Bump actions/cache from 3.0.5 to 3.0.6 by @dependabot in #2127
- 🌱 Bump cloud.google.com/go/bigquery from 1.36.0 to 1.37.0 by @dependabot in #2126
- 🌱 Bump nick-invision/retry from 2.8.0 to 2.8.1 by @dependabot in #2130
- 🌱 github actions cleanup and set to get the latest go available by @cpanato in #2135
- 🌱 Limit access to registered checks by @spencerschrock in #2134
- ✨ support for SLSA provenance in Signed-Release by @laurentsimon in #2131
- ✨ Feature: Improve Dependabot detection through PRs by @qequ in #2125
- ✨ Support OneFuzz in fuzzing checks by @balteravishay in #2141
- 🐛 Fix bug 2051 by @varunsh-coder in #2140
- 🌱 Bump actions/cache from 3.0.6 to 3.0.7 by @dependabot in #2139
- ✨ Favor SLSA provenance over plain signature in Signed-Release by @laurentsimon in #2144
- 🌱 Bump step-security/harden-runner from 1.4.4 to 1.4.5 by @dependabot in #2148
- ✨ Scorecard returns a non-zero exit code if any check has a runtime error by @spencerschrock in #2133
- 🌱 Bump cloud.google.com/go/bigquery from 1.37.0 to 1.38.0 by @dependabot in #2149
- 🐛 Add scorecard-action to the security-events allowlist in Token Permissions check by @spencerschrock in #2153
- 🐛 Remove duplicate projects with different casings by @azeemshaikh38 in #2155
- 🐛 Detect recently created Github repositories by @raghavkaul in #2151
- ✨ Unflag the
--commitoption by @azeemshaikh38 in #2156 - Use generic generator for SLSA by @laurentsimon in #2146
- 🌱 Upgrade to go 1.18 by @naveensrinivasan in #2143
- 🌱 Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 by @dependabot in #2167
- 🐛 Fix remediation text when Scorecard is run multiple times within a program by @spencerschrock in #2168
- 🌱 Update scorecard-action to v2:alpha by @azeemshaikh38 in #2171
- ✨ Use sha256 for release hashes by @laurentsimon in #2172
New Contributors
- @qequ made their first contribution in #2125
- @balteravishay made their first contribution in #2141
Full Changelog: v4.5.0...v4.6.0
Contributors
naveensrinivasan, cpanato, and 9 other contributors
Assets 15
v4.5.0
v4.5.0
This tag was signed with the committer’s verified signature.
naveensrinivasan
Naveen
Changelog
- 69eb1cc Fix a bug in cron API data exporting (#2112)
- 89163cc 🌱 Bump google.golang.org/protobuf from 1.28.0 to 1.28.1
- 6813ed1 🌱 Bump google.golang.org/protobuf in /tools (#2110)
- 1e0e44a 🐛 Bug fixing: recurring results of the scorecard fuzzing check for go built-in fuzzers (#2101)
- 8118e5d 🌱 Bump golang.org/x/tools from 0.1.11 to 0.1.12
- 384c79d 🌱 Bump actions/stale from 5.1.0 to 5.1.1 (#2106)
- 5fa7596 Scorecard runs fail with any unrecognized steps (#2103)
- d7cb711 Fix bug in Scorecard analysis CI (#2099)
- c581062 Enable Scorecard badge (#2097)
- 4f30e02 🌱 Bump sigstore/cosign-installer from 2.4.1 to 2.5.0
- baedf84 🌱 Bump imjasonh/setup-ko from 0.4 to 0.5 (#2096)
- 93a0206 📖 Minor typos and copy-editing to checks/write.md (#2071)
- 66708ba ✨ Feature: Dependency-diff ecosystem naming convention mapping (GitHub -> OSV) (#2088)
- 8f96d6b 🌱 Bump crazy-max/ghaction-import-gpg from 5.0.0 to 5.1.0 (#2091)
- d77f59f 🌱 Bump sigstore/cosign-installer from 1.2.1 to 2.4.1 (#2021)
- b945eb3 🌱 Bump cloud.google.com/go/bigquery from 1.35.0 to 1.36.0
- 96835aa 🌱 Bump actions/stale from 5.0.0 to 5.1.0
- 1e3f325 🌱 Bump cloud.google.com/go/pubsub from 1.23.1 to 1.24.0
- e23ee84 ✨ Export Scorecards results for API (#2081)
- 30e3f64 ✨ Feature: Dependency-diff API optimize: var re-naming, removing unused JSON tags (#2090)
- 0e4f5db remove not used workflow (#2089)
- 7737dbd 🌱 Bump github.com/google/go-containerregistry
- c15a2e6 🌱 Bump github.com/onsi/gomega from 1.19.0 to 1.20.0
- 7c91203 🌱 Naveen Company updated. (#2082)
- 096cbd0 ✨ Use crane to add hash suggestion to unpinned Docker images (#2037)
- a905d66 fix: invalid documentation link (#2073)
- 4bd1692 🐛 Bug fixing: Using the wrong URI to initialize the repo in Dependencydiff (#2072)
- 10681da ✨ Feature DependencyDiff (Version 0 Part 2) (#2046)
- dd8fbc0 ✨ Binary artifact exception for gradle-wrapper.jar when using validation action (#2039)
- f1b182a 🌱 Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (#1998)
- 4394ac9 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2
- 59c06f0 🌱 Bump ossf/scorecard-action from 1.1.0 to 1.1.2
- a3de23c 🌱 Bump github.com/google/go-containerregistry (#2003)
- 7c9bb1c 🌱 Bump distroless/base from
d65ac1atoe672eb7(#1994) - 838f62f ✨ Add raw results for Token-Permissions (#1912)
- 2b8c7b4 🌱 Bump github.com/jszwec/csvutil from 1.7.0 to 1.7.1 (#2013)
- e1c3ab0 🌱 Bump cloud.google.com/go/bigquery from 1.34.1 to 1.35.0 (#2034)
- 4ff5b2b 🌱 Bump actions/cache from 3.0.4 to 3.0.5 (#2049)
- 287ee7d 🌱 Bump actions/dependency-review-action from 2.0.2 to 2.0.4 (#2054)
- f61ed37 🌱 Adjust 'exhaustive' linter to consider 'default' as exhaustive (#2044)
- 5d9d75b 🌱 Bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 (#2035)
- 6b8cfb2 🌱 Bump golang.org/x/tools from 0.1.10 to 0.1.11 (#1993)
- 220c49d 🌱 Bump actions/setup-go from 3.2.0 to 3.2.1 (#2040)
- 63e40ae Add a number of new projects to scan. (#2043)
- 0af8781 1 (#2031)
- dd780a5 ✨ Feature DependencyDiff CLI (Version 0 Part 1) (#2030)
- e608741 🌱 Bump step-security/harden-runner from 1.4.3 to 1.4.4
- 90ed090 🌱 Build/test fixes: Install protoc and protoc-gen-go (#2038)
- 9fecf63 🌱 Bump github.com/rhysd/actionlint from 1.6.13 to 1.6.15 (#2012)
- 48291a3 Use the proper repo for lombok. (#2029)
- f3e21fa 🌱 Bump actions/cache from 3.0.3 to 3.0.4 (#1988)
- f1dfbcb 🌱 Bump actions/dependency-review-action from 1.0.2 to 2.0.2
- 6a84f97 🌱 Bump cloud.google.com/go/bigquery from 1.32.0 to 1.34.1 (#2006)
- bc12ba6 🌱 Workaround for Protoc failures in GH Actions (#2025)
- 3430f78 small fixes (#2015)
- e7faa8f Fix broken link (#2004)
- 445d7ba Fix bug in
docker run scorecard version(#1991) - 2fb4093 🌱 Bump cloud.google.com/go/pubsub from 1.21.1 to 1.23.1 (#2014)
- 3957460 update (#2011)
- 6a032a3 ✨ Check for Mach-O binaries in Binary Artifacts (#2000)
Thanks for all contributors!
v4.4.0
What's Changed
- 🌱 Bump github.com/caarlos0/env/v6 from 6.9.2 to 6.9.3 by @dependabot in #1973
- 🌱 Bump actions/cache from 3.0.2 to 3.0.3 by @dependabot in #1974
- 🌱 Signing scorecard images using cosign by @naveensrinivasan in #1970
- 🌱 Included Stargazers over time by @naveensrinivasan in #1971
- 🌱 Replace
clients.Contributorwithclients.Userby @azeemshaikh38 in #1957 - ✨ Raw results for Packaging check by @laurentsimon in #1913
- ✨ Silence scorecard warning by @laurentsimon in #1977
- ✨ Raw results for Pinned-Dependencies by @laurentsimon in #1932
- 📖 Fix cron related documentation by @lehors in #1986
- ✨ SLSA provenance/build by @laurentsimon in #1702
- ✨ Support user-defined fuzz functions (GoLang) in fuzzing check by @aidenwang9867 in #1979
- ✨ Add Language struct and optimize result parsing for GHClient.ListProgrammingLanguages by @aidenwang9867 in #1992
Full Changelog: v4.3.1...v4.4.0
Contributors
naveensrinivasan, azeemshaikh38, and 4 other contributors
Assets 14
v4.3.1
What's Changed
Fix ossf/scorecard-action#323 via #1947
New Contributors
- @aidenwang9867 made their first contribution in #1939
Full Changelog: v4.3.0...v4.3.1
Contributors
aidenwang9867