Releases: ossf/scorecard
v2.2.3
Changelog
7b912e8 Return DefaultBranch as part of ListBranches (#960)
830c4f5 100k cron job repos (#958)
afe5b40 Make RepoClient as default interface for Scorecard (#951)
1434977 :sparkling: Upgraded to go 1.17
eceb577 Add and use RepoClient API for ListStatuses (#949)
eb2b3b2 Add RepoClient API for ListCheckRunsForRef (#948)
8f5e742 ✨ Improve JSON format (#934)
b5e4c77 🌱 Bump distroless/base from 19d927c to a74f307 (#945)
992775e 🌱 Bump distroless/base in /cron/webhook (#946)
dcbf752 🌱 Bump cloud.google.com/go/bigquery from 1.21.0 to 1.22.0 (#939)
dcbfb3c Fix syntax bug in CloudBuild YAML (#947)
df2acb4 Add COMMIT_SHA to Scorecard docker image (#944)
d6b6012 Specify fractions instead of percentage (#943)
99b9c91 Use RepoClient API for Packaging check (#940)
bb6e010 ✨ Decouple scorecard json from cron json (#941)
001ba67 🌱 Bump github.com/jszwec/csvutil from 1.5.0 to 1.5.1
d6ba2cd Fix #890 (#938)
e305a94 Use ListReleases API for BranchProtection check (#937)
9a1978a Use RefUpdateRule in BranchProtection check (#936)
d9f5209 Update test utils (#933)
dbb2345 ✨ Add line number to unpinned dependency: GitHub workflow "uses" field (#821)
ee6acdd Syntax bug in k8s file (#931)
915bad8 🌱 Bump distroless/base in /cron/worker
95c2df2 🌱 Bump distroless/base from bc84925 to 19d927c in /cron/bq (#926)
51016ea 🌱 Bump cloud.google.com/go/pubsub from 1.15.0 to 1.16.0 (#904)
c1edcea Use a completion threshold for BQ transfers (#930)
f40fa63 🌱 Included race flag to tests (#921)
d9b4188 🌱 Bump distroless/base in /cron/webhook
5b74c04 🌱 Bump distroless/base in /cron/controller
fe54c51 Only call GitHub APIs when needed (#918)
c9a617b 📖 Expand "Motivation" section (#924)
37696ac Create and use MockRepoClient in unit tests (#922)
50fd921 🌱 Fix the dependabot settings
f2afdba 🌱 Bump actions/setup-go from 2.1.3 to 2.1.4
b93f385 🌱 Bump distroless/base from ccbc79c to 19d927c
788fd33 ✨ Add JSON unit tests (#915)
e083f04 🐛 Fix date cron issue (#914)
d8e49e0 Remove unwanted dependencies (#913)
9eb7929 🐛 Address friction logs' comments (#899)
1c7c1e3 Fix bug in shardNum calculation (#910)
2d65ab4 Remove ErrRepoUnavailable (#908)
b89808f Pin protoc by SHA (#909)
e73f08e Fix nil ptr dereference (#907)
cc30d54 Use arduino/setup-protoc for installing Protoc (#903)
8cf95c4 Use singleton pattern for OSS-Fuzz (#902)
41d0ce3 Replace errors.As with Is (#901)
46a655d Fixes for Branch Protection (#900)
7bc2e00 🌱 Bump peter-evans/find-comment from 1.2.0 to 1.3.0 (#893)
ad134ac ✨ Add hash to results (JSON, SARIF) (#892)
6403eb1 ✨ Transition Packaging, SAST, Security-policy, Signed-releases check to the new structured detail format (#887)
b731f45 ✨ Transition Vulnerabilities, Permissions, CI-Tests, Dependency-Update-Tool, Code-Reviews to structured details (#889)
27c5821 Update README.md (#888)
aea1249 Add ephemeral-storage to cron worker (#885)
276155d ✨ SARIF 4: Add support to output SARIF format (#866)
d1de6cf support v3 (#883)
bb70e15 Remove token-heavy checks from cron job (#882)
77a4160 🌱 Bump github.com/onsi/gomega from 1.15.0 to 1.16.0 (#879)
b7c0d03 Handle GitHub repos with redirects (#876)
42700ee 🌱 Bump actions/github-script from 4.0.2 to 4.1
c73b28f ✨ fix: add github.com as default for owner/repo parameter (#872)
c54d77b 🐛 Only validate shell scripts supported by our parser (#862)
04e8bcf 🌱 Bump cloud.google.com/go/bigquery from 1.20.1 to 1.21.0 (#870)
1c9a255 Update docs to use :stable release (#865)
fa4e8a4 🌱 Bump github.com/golangci/golangci-lint from 1.41.1 to 1.42.0 (#869)
e7d9ec5 🌱 Bump cloud.google.com/go/pubsub from 1.14.0 to 1.15.0 (#858)
63a8fc7 Nil pointer dereference (#864)
cf01ea6 Fix nil pointer dereference bug (#860)
dbdcd4b ✨ SARIF 1: add structured detail (#843)
0a0d292 ✨ SARIF 3: add flag to yaml (#853)
13ef9dd Use RepoClient.Search API in SAST check (#857)
23764f0 ✨ Upload cron results to a table with new format (#830)
b3a3f7e ✨ SARIF 2: add short description to checks.yml (#848)
7233742 🌱 Bump go.uber.org/zap from 1.18.1 to 1.19.0 (#834)
42ee430 Use RepoClient API for Fuzzing (#855)
4c585f2 Fix nil pointer bug (#856)
8baaaa4 Use RepoClient API for Contributors check (#854)
b7ddc9a Update go-github version for consistency (#852)
d4701c4 Delete Signed-Tags check from Scorecard (#851)
29fbdae Enable automated e2e testing and releases (#850)
3f9431d Update SignedReleases to use RepoClient API (#844)
e160d4a 📖 Fixed the typos and rephrased some (#849)
7790d70 Use consistent golang image across Dockerfiles (#847)
cc312f2 ✨ feature: branch protection without admin token (#823)
a10baab 🌱 Bump golang from 5cdc91c to 3c4de86 (#846)
cbc556f Append changelog to new releases (#838)
eeb563b Update SAST and CITest with Repoclient API (#842)
5bcc1fd populate old details (#841)
977c2b8 Log runtime failures in cron job (#840)
20370f7 🐛 Look for organisation default .github security.md files in all the locations they are allowed to be in (#837)
ee8e402 🌱 Bump github.com/google/go-containerregistry (#832)
4fcb0a3 Fix a bug in flag parsing (#836)
0f6cbc1 🌱 Bump cloud.google.com/go/pubsub from 1.13.0 to 1.14.0 (#833)
6cc4135 Remove false log statement (#835)
bbf99ad 🌱 Bump cloud.google.com/go/bigquery from 1.19.0 to 1.20.1 (#820)
0561c15 Post to webhook on successful cron job completion (#829)
bc67dd3 Create a webhook for tagging Docker images (#828)
ce7d4c3 Update BQ query in README.md (#831)
a2e34ed 🌱 Bump crazy-max/ghaction-import-gpg from 3.1.0 to 3.2.0
ef9880c 🌱 Implemented ignore for license check
v2.1.3
v2.1.3
v2.1.2
v2.1.2
v2.1.1
v2.1.1
v2.1.0
v2.1.0
v2.0.0
v2.0.0
v1.2.0
v1.2.0
v1.1.1
Scorecard v1.1.1 release notes
Changes since v1.1.0
- The scorecard releases are signed with gpg keys 🔑
- Scorecard adds
jsonresponse to thehttpendpoints. - This release included scanning of
2000additional GitHub repositories. - The docker image of scorecard is published at GitHub Docker registry.
- The dependent libaries were upgraded github.com/spf13/cobra from
1.1.1to1.1.2and github.com/spf13/cobra from1.1.2to1.1.3 - There were improvements to the e2e testing.
- The minor bug fixes to the existing scans.
Thanks to all our contributors! 😊
v1.1.0
Changelog
7ab314d Fix - dependabot githubactions location
bcf8d0d Fix - dependabot yaml error
4ad4a42 Feature - enabled dependabot for githubactions
f385b0d Feature - run scans from npm pacakge name
0d77d89 Fix - tarball URL trailing slash
038e3b6 Bump github.com/onsi/gomega from 1.10.4 to 1.10.5
717701b Bump github.com/onsi/ginkgo from 1.14.2 to 1.15.0
8493b0b Add remediation steps for various checks.
93373f7 Fixes - Incorrect result for branch protection
2a1463b Feature - Report codecoverage to codecov.io
09b83b9 Fixes
33e9189 fix - panic on nil
c00aa4b Add e2e tests for remaining checks.
bcaa2e7 Lint fix.
b5096bf Fix backslash.
b278475 Fix CodeQL failure.
5b7ddc5 Add e2e test.
dc8d1fe Add packaging check.
c4c99cd feature - Included the e2e into the PR workflows
91bfea5 feat - Close stale issues
1d26654 Document - Included instruction for GITHUB_AUTH_TOKEN
1700c3a feature - Pull request template (#127)
b11fad8 feature - Included the status badge in README (#125)
7b740ce fix - Handle nil structs in branch protection (#124)
9d4e5c0 feature - CODEOWNERS for github branch protection feature (#123)
fcf0ac4 Merge pull request #119 from naveensrinivasan/feature/protected-branches
3191c55 Update README.md
938b9f2 Merge branch 'main' into feature/protected-branches
b506c6f Merge pull request #122 from ossf/b5
650fe0a Update README.md
3c94ffa Remove releases from active check.
5d84b86 Merge branch 'main' into feature/protected-branches
b86fae0 Fix #121
9ce57c0 feature - Checks for branch protections
15a1ba0 feat - nonroot docker container (#114)
9e0388f Merge pull request #118 from naveensrinivasan/feature/update-readme
c5c51b9 feature - Update the CONTRIBUTING guidelines
b216a1e Feat - implemented goreleaser for releases (#117)
f77da77 feat-e2e tests for signed tags and signed releases (#115)
3df1191 Create Dependabot config file (#116)
ddc82c6 Add --show-details to the cron job. (#113)
329a4cf Merge pull request #109 from moorereason/release-tagname
88d5218 Use release tag name instead of name in log messages
a239820 Merge pull request #108 from moorereason/iss95-ci-tests
39464a5 Refactor CI-Tests to show negative results
7937da4 Merge pull request #103 from naveensrinivasan/fix/golangrun-ci-issue
9b1e28e Merge pull request #106 from ossf/b3
2d348a7 Merge pull request #105 from naveensrinivasan/feat/makefile
91780fd Allow skipping scheme, fix regression.
a56f707 Feat - Implemented Makefile and actions for PR
06f2616 fix - golangci-lint issues
c308663 Merge pull request #102 from naveensrinivasan/fix/shellcheck
3de6a1b fix - shellcheck violations for cron.sh
6549ecc Create codeql-analysis.yml (#101)
f7cb4d7 Merge pull request #100 from naveensrinivasan/fix/http-path
4362368 Tests updated to include validation for parsing
fd3a2a8 fix - URL with trailing slash
6b80b78 Merge pull request #98 from moorereason/iss95
ac55575 Adjust details logging on a few checks
348bedb Show negative results in Signed-Releases details
eb0d488 Show negative results in Signed-Tags details
4ec34e9 Show negative results to Pull-Requests details
1991617 Merge pull request #94 from ossf/b3
7a10bed Improve SAST check.
c5abb92 Merge pull request #91 from ossf/a12
87d6954 Merge pull request #92 from ossf/b1
0bcd8ea Improve fuzzing check.
ab2c9d4 Add support for yarn, composer in frozen deps check.
983e406 Merge pull request #90 from dlorenc/moreprojects
cd16def Add 50 Google projects.
1.0.0
Initial open source release.