v4.3.0

Changelog

• 6406cfd 🌱 Bump actions/setup-go from 3.0.0 to 3.1.0
• 236b296 Do not fail on empty repositories (#1914)
• b1ab7eb ✨ Update raw format for Dangerous workflows (#1865)
• cd04704 📖 Fixes description for webhook check (#1882)
• 0275a94 :warn: Remove the old Details field from CheckResult (#1906)
• b9f333b ⚠️ Remove the pass from the CheckResult
• f048164 🌱 Bump github.com/caarlos0/env/v6 from 6.9.1 to 6.9.2
• 74f521f 🌱 Bump mvdan.cc/sh/v3 from 3.4.3 to 3.5.0
• 2b35afc 🌱 Bump github.com/golangci/golangci-lint in /tools
• 0f30f4e ✨ Make permission check aware of GH Pages Action (#1902)
• 2fc6fbb 🌱 Bump cloud.google.com/go/bigquery from 1.31.0 to 1.32.0
• 804127f Upgrade to buildkit 0.10.3
• c5d787a pkg: refactor out scorecard_version
• 62e3de5 🐛 Remove Options that belong to the Action (#1898)
• 7ff4b7e ⚠️ Removing the confidence field from CheckResult struct (#1896)
• 6d79817 📖 Fix command Usage (#1814)
• 815de18 📖 Remove erroneous ref to CSV output (#1813)
• 5758364 Fix bug in Scorecard tag Docker image creation (#1890)
• 8c97d46 ✨ Add custom remediation for workflow permissions/pinned dependencies (#1885)
• 22694dc Support commits reviewed through Piper (#1889)
• 9a7d030 ✨ Added additional github repositories in projects.csv (#1886)
• 72086c9 ✨ Add support for Phabricator as a code review system (#1884)
• f779fb8 🌱 Bump cloud.google.com/go/pubsub from 1.21.0 to 1.21.1
• 74ea0f4 🐛 Fix .lib false positives in binary artifacts (#1879)
• 2cb6541 ⚠️ Removing the pass field from result (#1853)
• 875b6f6 🐛 Ignore shell parsing errors when reporting results (#1878)
• e97bf30 🌱 Bump step-security/harden-runner from 1.4.2 to 1.4.3
• 815de5c Propagate error in log (#1875)
• 2b68f38 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.3 to 2.1.4
• 3a9f011 🌱 Bump github.com/google/go-cmp from 0.5.7 to 0.5.8
• a598b2a 🌱 Bump cloud.google.com/go/pubsub from 1.20.0 to 1.21.0
• ac14ce7 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.3 to 2.1.4 in /tools
• 05d8c01 🐛 Don't look for secrets in pull_request (#1864)
• b304306 ✨ Add token needed for checks in README (#1854)
• ac88460 ✨ Raw results for best practices badge (#1795)
• fe6e091 ✨ Support for detecting choco installer without required hash (#1810)
• 5d8a277 🌱 Bump crazy-max/ghaction-import-gpg from 4.3.0 to 4.4.0
• dbaba8a 🌱 Bump step-security/harden-runner from 1.4.1 to 1.4.2

Thanks for all contributors!

v4.2.0

Changelog

• 44ad5f5 ⚠️ Removing the error field from result (#1853)
• 1f3861b Update env variables in cron (#1858)
• ee1086e 🌱 Bump codecov/codecov-action from 3.0.0 to 3.1.0
• 64bf903 🌱 Bump actions/checkout from 3.0.1 to 3.0.2
• 4622952 ✨ Raw results for dangerous workflow (#1849)
• 72e2486 🌱 Bump contrib.go.opencensus.io/exporter/stackdriver
• 6ed6c9b 🌱 Publish images with ko
• f99e1a1 ✨ Schema for BQ table for raw results (#1762)
• 9532e55 🌱 Bump github.com/rhysd/actionlint from 1.6.11 to 1.6.12
• 6c59ff9 🌱 Bump actions/checkout from 3.0.0 to 3.0.1
• ebf0d10 🌱 Bump cloud.google.com/go/bigquery from 1.30.2 to 1.31.0
• 4d1c531 ✨ Raw results for license (#1790)
• c0e41f3 Update branches_e2e_test.go (#1838)
• 410a145 fix (#1837)
• b00b316 Split NewLogger into two so we can use a custom logrus instance.
• 9120285 Fix e2e branch (#1835)
• eedd16d linter
• 6a48f17 fix
• 4b2c677 fix
• 2873c0d e2e for GITHUB_TOKEN
• a46313c 🌱 Bump cloud.google.com/go/pubsub from 1.19.0 to 1.20.0
• fb0c0e1 🌱 Bump actions/cache from 3.0.1 to 3.0.2
• f9c2f9d 🌱 Dependency review action
• 333618d Security-Policy should not run on --local (#1825)
• 4df16f3 🌱 Bump codecov/codecov-action from 2.1.0 to 3
• b6575a2 🌱 Bump github.com/rhysd/actionlint from 1.6.10 to 1.6.11
• 8bc0fe5 🌱 Bump contrib.go.opencensus.io/exporter/stackdriver
• a1e908b Support Security-Policy with --local (#1822)
• 5860896 detect workflow_run as a dangerous trigger
• 606f28a 🌱 Bump sigs.k8s.io/release-utils from 0.5.0 to 0.6.0
• 8113336 🌱 e2e for pinned_dependencies for localrepoclient
• b6b5592 🌱 e2e for dangerous_workflow local repo
• 761bb4e 🌱 Fixes the golang version
• b42a175 🌱 Bump gocloud.dev from 0.24.0 to 0.25.0
• 648b663 🌱 Experimental option for codeql
• 27dbf9c ✨ Raw results for Signed-Release check (#1789)
• e8c633a 🌱 e2e tests for security policy localrepo
• e5f5deb 🌱 e2e tests for local repoclient for permissions
• ab9769a 🌱 Fix protoc build failures
• 99ecdea 🌱 Bump actions/cache from 3.0.0 to 3.0.1
• 7dcb3cb ✨ checks: add GitHub Webhook check (#1675)
• 93889a8 install missing tool in add-projects job
• f1268bf cleanup protoc version
• d10ac0d 🌱 Bump cloud.google.com/go/bigquery from 1.30.1 to 1.30.2
• 92027ed small cleanup on the workflow jobs and remove the master branch reference (#1800)
• 389078c 🌱 Bump cloud.google.com/go/bigquery from 1.30.0 to 1.30.1
• 4956483 🌱 Bump github.com/onsi/gomega from 1.18.1 to 1.19.0
• c428e31 🌱 Bump distroless/base in /cron/worker
• 6a078c6 Use GITHUB_TOKEN for downloading protoc (#1797)
• ce06ac1 🌱 Bump distroless/base in /cron/webhook (#1794)
• 0644b18 🌱 e2e for local repoclient license check
• cacc3e4 🌱 e2e tests binary artifacts localrepo
• 037a3f3 ✨ Raw result for Maintained check (#1780)
• 682e6ea Explicit permissions for github actions
• 007156b 🌱 Bump distroless/base in /cron/controller
• 10d46d5 🌱 Bump distroless/base from 792dfe7 to 764b74b
• d2e88f2 🌱 Bump github.com/golangci/golangci-lint in /tools
• 363d1bd Add comment to update action policy file (#1751)
• 8150ab0 ✨ Make Vuln ID field lower case in raw results (#1761)
• 2bbbce7 🐛 Discard GitHub token in dangerous workflow check (#1772)
• 66b3d8c 🌱 Bump github.com/golangci/golangci-lint from 1.44.2 to 1.45.0 in /tools (#1757)
• 10bd777 🌱 Bump peter-evans/find-comment from 1.3.0 to 2
• 0a82d2b 🌱 Bump google.golang.org/protobuf from 1.27.1 to 1.28.0
• aecff0b 🌱 Bump peter-evans/create-or-update-comment from 1.4.5 to 2
• c671bac 🌱 Bump peter-evans/slash-command-dispatch from 2.3.0 to 3
• 2863566 🌱 Bump actions/upload-artifact from 2.3.1 to 3
• a69fda7 🌱 Bump actions/cache from 2.1.7 to 3
• d51e004 🌱 Bump google.golang.org/protobuf in /tools
• 06efb4a ✨ Update BQ table name for raw results (#1759)
• 1094680 🐛 Fix schemas from #1758 (#1760)
• ee623e5 Add schema for the raw JSON (#1758)
• 1c61acd Update main.yml
• 8fd286d Update stale.yml
• 76d3e10 🌱 Restrict egress on github actions
• 0c76ae3 🌱 Bump distroless/base in /cron/controller
• 64893b8 🌱 Bump step-security/harden-runner from 1.4.0 to 1.4.1
• b1ab16e ✨ Add raw results to cron scans (#1741)
• d5893c2 🌱 Bump distroless/base from 02f6671 to 792dfe7
• 9e9e5a9 🌱 Bump distroless/base in /cron/webhook
• 8f6df49 🌱 Bump github.com/go-logr/logr from 1.2.2 to 1.2.3
• 23921a6 🌱 Bump distroless/base in /cron/worker
• a496d8c 🌱 Bump cloud.google.com/go/bigquery from 1.29.0 to 1.30.0
• a3f4b05 Pass in specific commit-SHA in cron job (#1739)
• ba78d0a ✨ Unit test for CLI options
• dc302bd Enable CI-Tests to run as commit-based check
• c8acf36 🌱 .github: Audit CodeQL egress with harden-runner (#1728)
• c8af71c 🌱 Bump crazy-max/ghaction-import-gpg from 4.2.0 to 4.3.0
• 3f73d69 🌱 Bump github.com/rhysd/actionlint from 1.6.9 to 1.6.10
• 2df9d08 🌱 Bump github.com/goreleaser/goreleaser in /tools
• 7d17953 Fixed the path of the generated mock files.
• 1995bc3 🌱 Refactor to make it testable
• f2a132a 🌱 Bump github.com/spf13/cobra from 1.3.0 to 1.4.0
• e303a1b 🌱 Ignore mock clients for code coverage
• 35d3156 🌱 Unit tests for pinned_dependencies
• c10a6ae Update README.md (#1716)
• eb25816 🌱 Bump cloud.google.com/go/pubsub from 1.18.0 to 1.19.0
• e128c3d allow empty committer (#1714)
• c1761a8 Only download repo tarball when necessary
• 0268747 🌱 Bump github.com/goreleaser/goreleaser in /tools
• 4b9f038 🌱 Fix for CVE-2022-23648
• 241b0f4 Mark License, Security-Policy as commit-based (#1711)
• 3c92dec 🐛 Add GitHub committer verification (#1695)
• 57b4664 🌱 Bump cloud.google.com/go/bigquery from 1.28.0 to 1.29.0
• 4904b31 🌱 additional tests for github_workflow
• 3070b3c ✨ cmd: Allow new scorecard to be instantiated with options (#1703)
• d192c8e ✨ Add score to SARIF for all results (#1694)
• 3818dbe Update CODEOWNERS (#1701)
• 189cdc5 🌱 Bump actions/stale from 4.1.0 to 5
• 2381915 🌱 Bump crazy-max/ghaction-import-gpg from 4.1.0 to 4.2.0
• 13b9cc5 🌱 Bump actions/checkout from 2.4.0 to 3
• 84cdc8c ✨ cmd: Refactor to make importable (#1696)
• 738b246 Fix cmd panic (#1692)
• 8377294 🌱 Bump goreleaser/goreleaser-action from 2.9.0 to 2.9.1
• dd9ae7d 🌱 Bump actions/setup-go from 2.2.0 to 3
• 5e5abdc 🌱 Unit tests for github workflow
• ddb0fe3 ✨ Changed jsonScorecardResultV2 type Public (#1682)
• 4635570 🌱 Bump goreleaser/goreleaser-action from 2.8.1 to 2.9.0
• d71866c Update badges to correct package version and reference URLs
• c664364 📖 Included reference to the GoDoc
• 7956ff4 ✨ Miscellaneous refactors to ease downstream consumption (#1645)
• 7610519 📖 Adding missing documentation for Token-Permissions (#1656)
• 4c82c29 🌱 Bump github.com/rhysd/actionlint from 1.6.8 to 1.6.9
• 692c682 Refine copy for PR template and add a release-note code fence (#1678)
• 504f134 Update scorecard-analysis.yml (#1674)
• faeae41 🌱 Fixes the vulnerability GHSA-qq97-vm5h-rrhg (#1672)
• 5a1ab20 🌱 Fix containerd vulns
• d94a87d 🌱 Fix containerd Vulnerability (#1560)
• 808941a ✨ Token-Permissions, Allow contents: write permission only for jobs that are releasing (#1663)
• e41f859 Generalize CheckFileContent functions (#1670)
• 5656c3e 🌱 Ignore cron folder from codecov
• f616278 Generalize CheckIfFileExists fn (#1668)
• c03085a Remove duplicated function definitions (#1666)
• e5b62b5 🌱 Bump mvdan.cc/sh/v3 from 3.4.2 to 3.4.3 (#1665)
• 5dbc04a 🌱 Avoid duplicate builds

Thanks for all contributors!

v4.1.0

Changelog

• 33f80c9 Fix golangci-lint issues
• 53bae3e feat: upgrade to ko v0.10.0
• 1306b34 🌱 Bump ossf/scorecard-action from 1.0.3 to 1.0.4
• 33a01f7 🐛 Add custom packaging workflow for Python
• bba55d4 🌱 Parallelize builds
• 1aff6db 🌱 Ignore docker builds
• 674146c Make verbosity levels case insensitive (#1650)
• db1d568 🌱 Remove building ko to speed up builds
• e6f6c56 🌱 Bump github.com/onsi/ginkgo/v2 from 2.0.0 to 2.1.3
• 4ebd8af 🌱 Bump github.com/onsi/ginkgo/v2 from 2.0.0 to 2.1.3 in /tools
• ba503c3 ✨ githubrepo: Allow providing an already authenticated transport (#1644)
• cda7a1b Add tests for graphQL costs (#1643)
• de5224b Update e2e tests (#1641)
• 2b206dc Remove Version field from LogMessage (#1640)
• 3551134 🌱 Parallelize the builds
• e7fd58d ✨ Check for secrets in pull_request_target (#1634)
• e3637c9 🌱 Bump cloud.google.com/go/bigquery from 1.27.0 to 1.28.0
• 1e488a8 Fix for repos which do not squash PR commits (#1637)
• f3332ce Add validation for commit-based APIs (#1635)
• eb0730a 🌱 Bump github.com/goreleaser/goreleaser in /tools (#1632)
• 394789c README.md: Add OpenSSF Best Practices badge (#1629)
• 2e3e505 Simplify DetailLogger interface (#1628)
• 38be00c Reduce query cost by analysing lesser associatedPR (#1624)
• 7de151c ✨ Check for secrets in workflows run on pull requests (#1615)
• 9b921f0 🌱 Bump actions/setup-go from 2.1.5 to 2.2.0 (#1619)
• 61e52d4 update workflow (#1617)
• 368c105 🌱 Bump cloud.google.com/go/pubsub from 1.17.0 to 1.18.0 (#1616)
• 6930c3a Add support for commit-based Scorecard (#1613)
• 1c95237 Only run allowed checks in different modes (#1579)
• eac2aec Add support for commit-based lookup to GitHub APIs (#1612)
• 68bf172 🌱 Unit tests fileparser/listing
• 30fc06e Fixed the formatting issue
• aaf7a9f 🌱 Cache builds between runs
• 049db38 🌱 Unit tests for dependency_update_tool
• 8733080 checks/packaging.go: ignore workflows/<>/ files (#1591)
• 95e7c03 Update the biweekly meeting times (#1603)
• 80cc0dd 🌱 Unit tests checks/ci_tests_test.go
• f84291d 🐛 Fix Dependabot check to accept .yaml file extension (#1601)
• 5e1fd52 🌱 Tweaking codecov config
• 35aad1d 🌱 Unit tests code-review for raw
• 674f747 🌱 Unit tests for vulnerabilities raw package
• 28bf341 📖 recommend nix-shell over nix-env
• 634643e 🌱 Unit test for fileparser/listing
• 88aa0e8 📖 Add make install to Environment Setup
• 4581c36 Remove ListMergedPRs API (#1566)
• 9037444 ✨ Raw data for code review check (#1505)
• 7032b19 Ignore all files under testdata/ (#1594)
• 0670b8b pkg/sarif.go: Add score in message (#1593)
• 009aa85 🌱 Unit tests for Vulnerabilities
• 05cedd7 🌱 Categorize the Makefile
• 79b216c checks/security_policy_test.go: updated unit tests (#1590)
• 24842de 📖 remove inaccurate claim about github rendering emoji
• 86d8281 Do not parse non-dockerfile (#1583)
• 2d0e538 Revert Committer.Name change (#1576)
• e4eb6d2 🌱 Unit tests for security policy
• 9d38be4 🌱 Bump ossf/scorecard-action from 1.0.2 to 1.0.3
• cbbfebb ✨ Mention renovatebot's settings (#1575)
• 3995d31 Refactor some code (#1567)
• fae5ff3 🌱 Unit tests for fileparser
• 58865e9 Only return PRs assicated with recent commits (#1562)
• 53f21cb README: s/Justin/Stephen (#1565)
• 6962fb4 Use committer name if login isn't available (#1558)
• 29b14f8 Fix nil-ptr issue in e2e tests (#1561)
• 70afae8 🌱 Remove dead code
• 4c266d7 🌱 Unit test for dependency_update_tool
• b4eec8e 🌱 Bump github.com/onsi/gomega from 1.18.0 to 1.18.1
• a69e1d9 🌱 Add Dart and Flutter CI systems to CI tests check. (#1548)
• 40a9d48 Link to responsible disclosure guidelines in Security-Policy remediation doc (#1545)
• 17467c1 🌱 Unit tests for binary_artifact (#1512)
• 15a204f 🌱 Bump github.com/goreleaser/goreleaser in /tools
• 074ba5a 🌱 Bump github.com/onsi/ginkgo from 1.16.4 to 1.16.5 in /tools (#1541)
• bd2171b 🌱 Bump github.com/golangci/golangci-lint from 1.42.1 to 1.44.0 in /tools (#1540)
• 10a5c1a 🌱 Bump github.com/goreleaser/goreleaser in /tools
• d2d9ff4 🌱 Bump golang.org/x/tools from 0.1.8 to 0.1.9
• 3d5a08d 🌱 Included dependabot setting for tools
• d50788f Add Slack channel badge (#1536)
• 5f9fff3 ✨ Separate check from policies for the Vulnerabilities check (#1532)
• 7a6eb28 Not considering an issue as having activity if closed recently (#1531)
• 16c0d37 🌱 CODEOWNERS: Add Stephen Augustus (justaugustus) as maintainer (#1530)
• e774015 🌱 Unit tests for Fuzzing
• 41adfe7 ⚠️ log: Initial logr/logrusr implementation (#1516)
• da116d3 🌱 Bump cloud.google.com/go/bigquery from 1.26.0 to 1.27.0
• 19a73a4 🌱 Bump ossf/scorecard-action from 1.0.1 to 1.0.2
• d4d81a0 🌱 Unit tests dependency_update_tool
• b6cba86 🐛 Issue activity only counts if done by a maintainer (#1515)
• 5b98576 🌱 Bump github.com/onsi/gomega from 1.17.0 to 1.18.0
• 4122c79 🌱 Unit tests for binary artifacts
• 8a64075 🌱 Fix the reflect.DeepEqual with google cmp
• 66a91dd 🌱 Unit tests for branch protection raw
• ab16cdb 🌱 Fix Vulns for containerd
• 90a0689 🌱 Unit test for fileparser
• 062e33b 📖 Dependabot config file link (#1498)
• 0d76dea go.mod: Update github.com/google/go-containerregistry to v0.8.0 (#1506)
• 13b78ab ⚠️ Create a dedicated logging package to encapsulate calls to zap (#1502)
• f4e9dfd 🌱 Unit tests for binaryartifacts
• 5777826 🌱 Bump github.com/google/go-cmp from 0.5.6 to 0.5.7
• 026d98e 🌱 Included e2e coverage for codecov
• c3589e8 📖 Updated codecov badge
• 2dcdbcd 🌱 Track code coverage
• 9973bde ✨ Unit tests for dependency update
• 96ea22e Add and use compressed Scorecard logos (#1492)
• fc87431 Add exemption to stale issue workflow (#1486)
• b8e054b 🌱 Bump goreleaser/goreleaser-action from 2.8.0 to 2.8.1
• 4837262 🌱 Bump ossf/scorecard-action from 1.0.0 to 1.0.1
• 5d3f198 ✨ Unit test for SAST (#1482)

Thanks for all contributors!

v4.0.1

Includes a patch to fix scorecard version in Scorecard Docker image and some documentation changes.

What's Changed

• 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 from 2.0.3 to 2.0.4 by @dependabot in #1475
• 🌱 Bump ossf/scorecard-action from 0.0.2 to 1.0.0 by @dependabot in #1478
• 🐛 Fix scorecard version in Scorecard Docker images by @azeemshaikh38 in #1480
• 📖 Olivekl v4 doc updates by @olivekl in #1481

Full Changelog: v4.0.0...v4.0.1

v4.0.0

Description

This release of Scorecard provides bug fixes, enhancements and new features and many other changes. The project remains available via a docker image.

Release Notes

New code features and enhancements

• A new Scorecard GitHub Action
• New checks: License and Dangerous-Workflow
• Improved scoring system for complex checks like Branch-Protection, Token-Permissions
• Improved Fuzzing check to support ClusterFuzzLite
• Added support for new SAST tools like LGTM and SonarCloud in SAST check
• Support for local code repository (using --local option)
• Improved parsing of GitHub workflows
• Improved test coverage
• Scaled weekly cron job repos to analyze ~1M projects

Scaling

• Weekly scans for ~1M GitHub repos with critical ecosystems dependencies from deps.dev.
• Weekly scan results are available in a BigQuery table in the JSON format.

LTS

• Complying with the v3 release announcement, the format of the weekly scans remains unchanged and will be available at least until the end of 2022.

Contributors

Huge thanks to all community contributors

@laurentsimon, @naveensrinivasan, @chrismcgehee, @azeemshaikh38, @asraa, @olivekl, @evverx, @developer-guy, @oliverchang, @varunsh-coder, @david-a-wheeler, @imjasonh, @nanikjava, @JamieMagee, @lehors, @r0mdau, @cpanato, @dota17, @Juneezee,

New Contributors

• @varunsh-coder made their first contribution in #1326
• @dota17 made their first contribution in #1341
• @lehors made their first contribution in #1312
• @JamieMagee made their first contribution in #1378
• @imjasonh made their first contribution in #1392

Mailing lists

• Stay updated with new releases and other announcements by joining ossf-scorecard-announce@googlegroups.com.
• Ask questions, get access to design docs, etc. by joining ossf-scorecard-dev@googlegroups.com.

Full Changelog: v3.0.0...v4.0.0

v3.2.1

Changelog

aa634bd: 🌱 Fixes the broken e2e (@naveensrinivasan)
53ae583: Remove obviously invalid URLs from porjects.csv (#1165) (@azeemshaikh38)
0ba864e: Avoid panic in code (#1171) (@azeemshaikh38)
d9e35cd: 🐛 Fix flaky tests in cron/data/add (#1185) (@laurentsimon)
4cca9b4: ✨ Implement local repo client for local folders (#1146) (@laurentsimon)
c73c562: Fix GitHub workflows failing (#1172) (@azeemshaikh38)
8735961: Update shard naming to allow for 1M+ shards (#1170) (@azeemshaikh38)
6088669: 🐛 Fix ListFiles caching in localrepo client (#1190) (@laurentsimon)
b08a4a8: Increase worker replicas (#1173) (@azeemshaikh38)
1db0f97: Sanitized repo URLs ~1M (#1182) (@azeemshaikh38)
1385528: Remove Repo CPU runtime stat logging (#1186) (@azeemshaikh38)
92dff66: 🌱 Bump distroless/base from 56d73a6 to 46d4514 (#1176) (@dependabot[bot])
ed2ef29: 🌱 Bump distroless/base in /cron/webhook (#1177) (@dependabot[bot])
6467b31: 📖 Update CODEOWNERS (#1189) (@r0mdau)
52ce50c: 🌱 Bump distroless/base in /cron/worker (#1193) (@dependabot[bot])
148446b: 🌱 Bump distroless/base in /cron/controller (#1192) (@dependabot[bot])
83649a7: Remove repos package (#1191) (@azeemshaikh38)
a53245a: 🐛 Fix broken e2e tests for Binary Artifacts (@naveensrinivasan)
c751120: 🌱 Reproducible builds in goreleaser (#1198) (@naveensrinivasan)
69f9774: Store metadata in BigQuery (#1197) (@azeemshaikh38)
d3796f2: ✨ Add ClusterFuzzLite to Fuzzing check. (#1166) (@oliverchang)
1cc8601: 📖 Included the meeting minutes (#1202) (@naveensrinivasan)
ff316e1: 🐛 Removed the Binary Artifact (@naveensrinivasan)
a6d298a: ✨ Use checks.yaml to store which repo types are supported by each check (#1195) (@laurentsimon)
257d99e: 🌱 Fixed the failing tests (@naveensrinivasan)
8a83a81: ✨ Validate check.yaml's repo interface support (#1210) (@laurentsimon)
59edb12: 🐛 Use only olivekl@ in CODEOWNER (#1212) (@laurentsimon)
8805ac5: ✨ Add --local option to CLI (#1211) (@laurentsimon)
6562cc1: 🌱 Bump actions/checkout from 2.3.5 to 2.4.0 (@dependabot[bot])
2006be1: 🐛 Token permission check was failing on non-yaml files (@chrismcgehee)
ddd770a: 📖 Updated the community links (#1216) (@naveensrinivasan)
af594d3: spelling (#1219) (@laurentsimon)
67f070f: remove action (#1223) (@laurentsimon)
4ee366e: 🌱 Move docker build checks to ko (#1214) (@naveensrinivasan)
b3ac52a: PR support (#1227) (@laurentsimon)
f319aca: Moving github worflow parsing to its own file (@chrismcgehee)
3dc507b: Using library to parse github workflows (@chrismcgehee)
09b7b3b: ✨ Pull request support for GitHub action (#1222) (@laurentsimon)
4fbd0fe: Adding Chris as facilitator (@chrismcgehee)
929fd6e: deterministic sarif gen (#1233) (@laurentsimon)
ae271b4: 🐛 Validate doc on pre-submit (#1235) (@laurentsimon)
6a2fb2e: Add LGTM to the SAST check (#1232) (@evverx)
5524c97: SAST: no longer skip "neutral" checks (#1237) (@evverx)
795505f: ✨ Remove isScorecardRepo (#1236) (@laurentsimon)
46611ea: Security-Policy: really look for the security policy (@evverx)
9dfac39: Fix the way diff is shown (#1249) (@azeemshaikh38)
ab2bb20: Fix nil-ptr access bug (#1248) (@azeemshaikh38)
c8d2a51: Ignore nil values in Branch-Protection check (#1243) (@azeemshaikh38)
1775025: 🌱 Move from io/ioutil to io and os packages (#1250) (@Juneezee)
51de6b6: Check for issue activity in Maintained (#1251) (@azeemshaikh38)
16cd53d: make install was not installing to GOPATH (@chrismcgehee)
d490455: CI-Test: stop assuming either "statuses" or "check runs" are used (#1259) (@evverx)
6223b66: Add CIIClient interface (#1262) (@azeemshaikh38)
72e20a0: Add repoClient.Close for all e2e tests (#1265) (@azeemshaikh38)
5950fde: 🐛 fix special character in search query to fix fuzzing check (#1241) (@asraa)
4dde356: Fix nil-ptr dereference (#1269) (@azeemshaikh38)
1050b1c: ✨ Add dangerous workflow check with untrusted code checkout pattern (#1168) (@asraa)
63e3b92: fix (#1277) (@laurentsimon)
4502dfb: ✨ Reduce false positives in Token-Permissions for contents permission (#1253) (@laurentsimon)
71e8698: Add a cron job to copy CII badges data (#1278) (@azeemshaikh38)
a05ac54: 🐛 Fix the reproducible builds (#1282) (@naveensrinivasan)
86835fc: 🐛 Fix branch protection results (#1252) (@laurentsimon)
4bd24b8: Including line number: Dockerfile FROM not pinned (#1258) (@chrismcgehee)
cc49494: ✨ [Check split]: Binary-Artifacts (#1244) (@laurentsimon)
0bd5756: Binary-Artifacts: no longer complain about ".bin" files (#1288) (@evverx)
0b32cc3: Fix broken e2e tests (#1291) (@azeemshaikh38)
2375ae2: Add a OssFuzzRepoClient (#1280) (@azeemshaikh38)
0339eea: 🌱 Fix integration test runs (#1286) (@naveensrinivasan)
8fae5b1: Fix more nil-ptr dereferences (#1295) (@azeemshaikh38)
b4e3205: ci: drop trailing whitespaces (#1292) (@evverx)
e15e7b1: More nilptr issues (#1296) (@azeemshaikh38)
9878c4e: Randomize the repos tested during release test (#1299) (@azeemshaikh38)
89b316c: Use blob-based CII client in cron job (#1284) (@azeemshaikh38)
08a7876: Run Dangerous-Workflow in release tests (#1301) (@azeemshaikh38)
5025299: Fix issues with CII client (#1309) (@azeemshaikh38)
6e7e13e: 🌱 Fix vulnerabilities in dependencies (@naveensrinivasan)
10ee2c0: Use pull_request_target + protected env for e2e (#1308) (@azeemshaikh38)
730076f: 🐛 fix dangerous workflow test and workflow parsing (#1283) (@asraa)
9d29765: Signed-Releases: really look for *.sign files (#1298) (@evverx)
fd87314: ✨ Update score for branch protection with levels (#1287) (@laurentsimon)
67c5e93: fix (#1318) (@laurentsimon)
23b0ddb: fix (#1316) (@laurentsimon)

Thanks for all contributors!

v3.1.1

Changelog

6f1a1cb: 📖 Update README.md (#1160) (@olivekl)
c13783a: 🐛 Fixing parsing for Github workflow when matrix is an expression (@chrismcgehee)
faab696: Improve formatting, readability (@chrismcgehee)
6f1a43a: 🌱 add google/ko support for building/pusing container image (#1127) (@developer-guy)
1b88587: 🌱 Fix CVE warning for containerd (@naveensrinivasan)
fd238d0: 🌱 Fix goreleaser permission and flags (@naveensrinivasan)

Thanks for all contributors!

v3.0.1

What's Changed

• 🌱 v3 upgrade changes by @naveensrinivasan in #1118

Full Changelog: v3.0.0...v3.0.1

v3.0.0

Description

This release of Scorecard provides bug fixes, enhancements and new features, including many changes that are not compatible with earlier versions of Scorecard. The project remains available via a docker image.

Release Notes

API changes

We are experimenting with new APIs based on user feedback to improve clarity and usability. Please try them out and leave us feedback on the scorecard repository!

New code features and enhancements

• Numeric scoring and risk categories replace Pass/Fail.
• Aggregated score.
• Improved JSON output (--format json | jq).
• New repo interface to simplify the future integration of other code versioning systems besides GitHub.
• Use GitHub v4 (GraphQL) APIs instead of REST API to improve performance and efficiency.
• Improved documentation (checks and main README).

Removal

• Support for CSV format has been removed. Please use the JSON format to upgrade.

Scaling

• Weekly scans for 200k GitHub repos with critical ecosystems dependencies from deps.dev.
• Weekly scan results are available in a BigQuery table in the new JSON format.

LTS

• Weekly scans that output the older JSON format will continue until 31 March 2022.
• Weekly scans that output the new JSON format will be available at least until the end of 2022.

Huge thanks to all community contributors

@naveensrinivasan, @chrismcgehee, @nanikjava, @rsprabery, @slugclub, @nathan-415, @neil465, @notanton, @ben-moss, @evalphobia, @johanbrandhorst, @iamamoose, @david-a-wheeler, @olivekl, @asraa, @loosebazooka, @meder, @oliverchang, @azeemshaikh38, @laurentsimon

Mailing lists

• Stay updated with new releases and other announcements by joining ossf-scorecard-announce@googlegroups.com.
• Ask questions, get access to design docs, etc. by joining ossf-scorecard-dev@googlegroups.com.

Full Changelog

v2.0.0...v3.0.0

v2.2.8

Changelog

3cbe7b2 Consistent -ldflags across go build (#1070)
06c14a6 Minor fixes to README.md (#1066)
6b9010e changes (#1062)
2c16597 Fix GitVersion in cron job (#1065)
1d3f3e3 gpg-private-key in goreleaser (#1064)
9df865c Regenerate docs/checks.md (#1061)
42e2b98 🌱 Bump actions/github-script from 4.1.0 to 4.1.1
0074111 Fix CodeReview bug (#1058)
fb77e42 ✨ Per-check score threshold for SARIF (#1057)
0686ed2 🐛 Fix invalid code review (#1055)
aa93ac2 Modify the text to acknowledge GitHub != universe (#1037)
5655cbb ✨ Add aggregate score to cron JSON (#1050)
b9daae1 🐛 Update message for Code-Review (#1054)
91eb41e 🌱 Check for OSV for a go.mod changes (#1053)
075cf0c 150k+ repos and num_dependents_deps.dev metadata (#1052)
5d6a7cd ✨ Add policy file (#1002)
90332a9 🌱 Add counting of shell parsing errors (#1026)
44dd10d 📖 Olivekl patch 1 (#1039)
d4caef0 🌱 Fix GO-2020-0020 (#1047)
14dc32f Enforce non-concurrent token usage (#1048)
5fb87cb 🌱 Bump golang.org/x/tools from 0.1.5 to 0.1.6 (#1041)
39bd00c ✨ Add aggregated score (#1046)
fd6e58d 🌱 Fixes GO-2020-0017 OSV (#1045)
51e11e6 🌱 Fix GO-2021-0089 vulnerability
bc5d7a8 📖 Improve text on Packaging (#1035)
ea77ab7 fix prev PR (#1033)
45fb779 📖 Improve explanation about multiple reviewers (and their lack) (#1017)
34b97e3 ✨ Update k8's transfer releasetest-v2 (#1023)
e1a6e7d 📖 Fixed the docs for dependabot
9e81b5f 📖 Fixed the dependabot check message
30cae86 📖 Warn when checks are prone to false negatives (#1019)
1e4f723 🌱 Fixes permission for main.yml action
8b7da7c 📖 Improve rationale for Binary-Artifacts (#1016)
646b339 Explain that active maintenance isn't always needed (#1013)
6868fe6 Note that pinning is a way to mitigate dependency confusion (#1012)
6fb92a3 add version for cron (#1011)
afb01f4 Fix CII Best Practices badge info (#1010)
aa2ed45 📖 Docs: Pinned dependency doc 2 (#1004)
6178207 ✨ Update cron's JSON format (#1001)
b6cd4cf Fix CONTRIBUTING.md for doc updates 📖 (#1007)
a5a6a30 README.md: Add hyperlinks to docs/checks.md (#1008)
b0fab3f code (#1006)
4c4fb61 🌱 Bump cloud.google.com/go/pubsub from 1.16.0 to 1.17.0 (#992)
0590b03 ✨ change message to make it more easier for user (#1003)
ba53081 Tweak "pinned dependency" discussion (#999)
cc044ca 🌱 Bump go.uber.org/zap from 1.19.0 to 1.19.1 (#993)
bc37c74 Remove Owner/Repo strings from CheckRequest (#997)
e730e91 sce.Create -> sce.WithMessage for wrapcheck (#995)
1cb8c06 Bug in Makefile generate-docs (#996)
d6174db semantic version (#991)
af24ed4 🌱 Included codeql check for GitHub Actions (#988)
870db56 Cleanup documentation code (#981)
1da121d ✨ Give low importance to github-owned actions (#802) (#906)
576447a 🌱 Fix the jwt finding
924d4d5 📖 Update README.md (#976)
2b15b13 🌱 Moving tools dependencies to separate go.mod
1c7ba79 🐛 Github workflow steps run on Windows should default to pwsh as its shell (#877)
a3d63bf 🌱 Updated actions permission for codeql (#964)
942c4cf 🌱 Bump crazy-max/ghaction-import-gpg from 3.2.0 to 4 (#971)
0aa4305 🌱 Bump github.com/golangci/golangci-lint from 1.42.0 to 1.42.1 (#973)
5476b87 ✨ Removed unnecessary linters (#969)
f220924 🌱 Bump distroless/base in /cron/worker
29b7bd3 Parsing GitHub Workflows should only happen on yaml files
2ae8910 📖 Fixed the deadlink to the documentation (#963)
fda87a4 Fixed typo reepo to repo
f55b86d 🌱 Bump peter-evans/slash-command-dispatch from 2.2.1 to 2.3.0 (#955)
e30d9e5 🌱 Bump gocloud.dev from 0.23.0 to 0.24.0 (#956)
b847d54 🌱 Bump distroless/base in /cron/controller (#961)
0620758 Updated go get to go install (#953)