Releases: ossf/scorecard
Releases · ossf/scorecard
v4.10.2
v4.10.1
v4.9.1
v4.10.0
What's Changed
Check improvements
- ✨ Removed job-level permissions check for actions and packages by @eddie-knight in #2367
- ✨ Add Sonatype Lift as a dependency update tool, doc upgrade by @theresa-m in #2328
⚠️ OSV scanner integration by @another-rex in #2509
Cron improvements
- 🌱 Add soft mem limit to controller k8s spec by @spencerschrock in #2362
- 🌱 cron: generalize and expose worker (6/n) by @spencerschrock in #2317
- 🐛 Fix typo which prevented cron metadata from going to BigQuery dataset by @spencerschrock in #2370
- 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents by @calebbrown in #2454
CLI
- ✨ Commit depth feature by @latortuga71 in #2407
Documentation
- 📖 Use scorecard (singular) consistently by @lehors in #2428
- 📖 Use new project name in Copyright notices by @lehors in #2505
- 📖 Fix copyright notices by @lehors in #2514
- 📖 Mention 2FA relevance although not checked by Scorecard by @joycebrum in #2528
- 📖 Clarify CII-Best-Practices score for each badge by @hugovk in #2313
BinAuthZ support (WIP)
- ✨ CLI for scorecard-attestor by @raghavkaul in #2309
- 🌱 Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor by @raghavkaul in
- 🌱 attestor: Dockerize + small improvements for Cloud Build usage by @raghavkaul in #2456
- 🌱 attestor: e2e tests by @raghavkaul in #2529
GitLab support (WIP)
New Contributors
- @theresa-m made their first contribution in #2328
- @dvbnrg made their first contribution in #2366
- @hugovk made their first contribution in #2313
- @gabibguti made their first contribution in #2384
- @shissam made their first contribution in #2195
- @favonia made their first contribution in #2447
- @latortuga71 made their first contribution in #2407
- @balhar-jakub made their first contribution in #2488
- @another-rex made their first contribution in #2509
Full Changelog: v4.8.0...v4.10.0
v4.9.0
What's Changed
Check improvements
- ✨ Removed job-level permissions check for actions and packages by @eddie-knight in #2367
- ✨ Add Sonatype Lift as a dependency update tool, doc upgrade by @theresa-m in #2328
⚠️ OSV scanner integration by @another-rex in #2509
Cron improvements
- 🌱 Add soft mem limit to controller k8s spec by @spencerschrock in #2362
- 🌱 cron: generalize and expose worker (6/n) by @spencerschrock in #2317
- 🐛 Fix typo which prevented cron metadata from going to BigQuery dataset by @spencerschrock in #2370
- 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents by @calebbrown in #2454
CLI
- ✨ Commit depth feature by @latortuga71 in #2407
Documentation
- 📖 Use scorecard (singular) consistently by @lehors in #2428
- 📖 Use new project name in Copyright notices by @lehors in #2505
- 📖 Fix copyright notices by @lehors in #2514
- 📖 Mention 2FA relevance although not checked by Scorecard by @joycebrum in #2528
- 📖 Clarify CII-Best-Practices score for each badge by @hugovk in #2313
BinAuthZ support (WIP)
- ✨ CLI for scorecard-attestor by @raghavkaul in #2309
- 🌱 Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor by @raghavkaul in
- 🌱 attestor: Dockerize + small improvements for Cloud Build usage by @raghavkaul in #2456
- 🌱 attestor: e2e tests by @raghavkaul in #2529
GitLab support (WIP)
New Contributors
- @theresa-m made their first contribution in #2328
- @dvbnrg made their first contribution in #2366
- @hugovk made their first contribution in #2313
- @gabibguti made their first contribution in #2384
- @shissam made their first contribution in #2195
- @favonia made their first contribution in #2447
- @latortuga71 made their first contribution in #2407
- @balhar-jakub made their first contribution in #2488
- @another-rex made their first contribution in #2509
Full Changelog: v4.8.0...v4.9.0
v4.8.0
Changelog
- c408592 Adjusted to max score with warning if job content are set to write (#2355)
- 78c7e83 🌱 Bump golang.org/x/text from 0.3.7 to 0.3.8 (#2358)
- b12b093 README formatting fix (#2356)
- 36d6a34 Note that LGTM service is deprecated. (#2339)
- 7f214bf 🌱 Bump actions/dependency-review-action from 2.4.0 to 2.4.1 (#2345)
- 3eab4dd 📖 Clarifications about the pinned dependencies check (#2319)
- 9b9006e Return unknown commit SHA for local repos. (#2342)
- 83db8ba 🌱 Bump github/codeql-action from 2.1.26 to 2.1.27 (#2336)
- 2b8ced3 🌱 Fixup: list GitHub check runs of MergeRequest.HeadSHA instead of Commit.SHA (#2333)
- 53e9246 🌱 Migrate to go 1.19 (#2332)
- 4e85d07 🌱 Bump github.com/goreleaser/goreleaser in /tools
- 7992368 Remove line continuations in all run steps. (#2335)
- 4b99a3a 📖 Create the Frequently Asked Questions Document (#2327)
- ae75d43 🌱 Bump github.com/golangci/golangci-lint in /tools (#2331)
- b4d97f9 🌱 Bump actions/checkout from 3.0.2 to 3.1.0 (#2324)
- 2c16c8f 🌱 Bump actions/cache from 3.0.8 to 3.0.10 (#2322)
- b491f40 🌱 Bump github/codeql-action from 2.1.24 to 2.1.26
- 9b4a675 🌱 Bump step-security/harden-runner from 1.4.5 to 1.5.0 (#2316)
- 29893ae 🌱 Split CI-Tests check into a raw and evaluation section (#2291)
- 347c2a8 Add tests for getBucketSummary. (#2310)
- ac55bf4 🐛 Prevent partial cron transfers caused by controller failures (#2308)
- 01b69d2 Fix scoring issue with Code Review check (#2292)
- 4693747 🌱 Bump sigstore/cosign-installer from 2.6.0 to 2.7.0 (#2300)
- 37d873d 🌱 Bump actions/dependency-review-action from 2.2.0 to 2.4.0
- d4b44e5 🌱 Remove check-osv (#2303)
- c3a7921 fix arg typo (#2304)
- a694cc9 Fix k8s yaml errors and document how to prevent them. (#2298)
Thanks for all contributors!
v4.7.0
Changelog
- 7cd6406 Reduce build target radius (#2293)
- a7a503a 🌱 cron: pass config as an argument to binaries (4/n) (#2279)
- 97df43b 🌱 Reduce the number of PR's opened by dependabot (#2297)
- 88e5ff7 Improve API limiting and cache (#2294)
- f017e2e Fix typo which was causing index out of range panics (#2284)
- 08c2ee5 Modify tool installation (#2288)
- 0f87094 ✨ Gitlab support (#2265)
- a6983ed Fix failing linters (#2281)
- 7c24934 🌱 Fix cosign vulnerability (#2283)
- a298132 🌱 Bump actions/dependency-review-action from 2.1.0 to 2.2.0 (#2282)
- 9a9a1cb 🐛 Add fix for issue2277 (#2278)
- d75dea8 🌱 Feature: Group commits into changesets (#2260)
- 3629fd8 🌱 Bump github/codeql-action from 2.1.22 to 2.1.24
- 9f67c4e 🌱 Invite @spencerschrock as maintainer (#2269)
- 482a59e 🌱 Tests: Fix data race failures (#2262)
- 2231d1f 🌱 cron: make CSV header optional (3/n) (#2261)
- bde0ae1 🌱 cron: generalize config and create optional values for scorecard and criticality (2/n) (#2254)
- 9e269b8 🌱 Feature: Add scorecard attestation policy module (#2240)
- d6bef98 Wrap check errors with distinct error for scorecard-action to ignore. (#2250)
- 856d2dd 🌱 Bump sigstore/cosign-installer from 2.5.1 to 2.6.0 (#2253)
- d76ff0d ✨ setup-python not required by pypa/gh-action-pypi-publish (#2206)
- 11657e4 📖 Remove trailing whitespace (#2241)
- da785a2 Rename CII->OpenSSF Best Practices badge (#2239)
- c665f27 🌱 cron: allow controller to read CSVs from cloud storage (1/n) (#2235)
- 7c66ae8 🌱 Bump imjasonh/setup-ko from 0.5 to 0.6 (#2231)
- ec15af5 🌱 Bump github/codeql-action from 2.1.21 to 2.1.22 (#2227)
- dac68a4 🌱 Bump github.com/onsi/gomega from 1.20.1 to 1.20.2 (#2225)
- bc5a1d6 Enable SAST check in cron by default (#2223)
- f345807 Detect pyup as an automated dependency update tool (#2226)
- d13ba3f 📖 Update instructions and other fixes in README (#2212)
- 7a2c403 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.4 to 2.1.6 (#2220)
- 3337b6c 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.4 to 2.1.6 in /tools (#2221)
- 758cc39 Add k8s README (#2219)
- 5ac9f39 🌱 Fix for empty repository (#2207)
- 33ab335 🌱 Bump github.com/onsi/gomega from 1.20.0 to 1.20.1
- 621449f ✨ Add CODEOWNERS branch protection check (#2057)
- 6fc08e7 Allow contents: write for Token-Permissions when doing mvn release (#2202)
- a8e9050 ✨ Optimize SAST check (#2191)
- 11ff78e Deduplicate projects by excluding URL fragments (#2201)
- b40efd2 🌱 Bump cloud.google.com/go/bigquery from 1.38.0 to 1.39.0
- 9460030 Make the Scalable Scorecards document public. (#2199)
- fb630a8 🌱 Bump github/codeql-action from 2.1.20 to 2.1.21 (#2200)
- 64daafb 🌱 Bump cloud.google.com/go/pubsub from 1.24.0 to 1.25.1 (#2197)
- 32d6ba2 🌱 Bump actions/setup-go from 3.2.1 to 3.3.0 (#2194)
- 8b3793a 🌱 Bump github/codeql-action from 2.1.19 to 2.1.20 (#2187)
- 86aa297 🌱 Bump github.com/caarlos0/env/v6 from 6.9.3 to 6.10.0 (#2188)
- e2813b8 🌱 Bump actions/cache from 3.0.7 to 3.0.8 (#2184)
- a4d2c01 🌱 Bump distroless/base from
49d2923
to533c15e
(#2185) - af2ee3d 🌱 Bump github/codeql-action from 1.0.0 to 2.1.19 (#2178)
- 77fa781 Check for security polices in RST format at toplevel and .github as well. (#2180)
- 2920b32 ✨ Improved license check (#2179)
- 25fd14d 🌱 Bump actions/dependency-review-action from 2.0.4 to 2.1.0 (#2176)
- 4a15760 Don't error on workflow parse failure in Binary-Artifacts (#2170)
Thanks for all contributors!
v4.6.0
What's Changed
- ✨ Enhancement: adding new entries for GH actions & Pub as ecosystems, typo fixes by @aidenwang9867 in #2109
- feat: Add pom.xml support for sonarype SAST by @laurentsimon in #2114
- ✨ Enhancement: Dependency-diff API optimization - changing the input param changeType from a map to an array by @aidenwang9867 in #2111
- 🌱 Bump gocloud.dev from 0.25.0 to 0.26.0 by @dependabot in #2121
- 🌱 Bump nick-invision/retry from 2.6.0 to 2.8.0 by @dependabot in #2122
- 📖 Include an example query for the public BigQuery dataset by @spencerschrock in #2123
- 🌱 Bump actions/cache from 3.0.5 to 3.0.6 by @dependabot in #2127
- 🌱 Bump cloud.google.com/go/bigquery from 1.36.0 to 1.37.0 by @dependabot in #2126
- 🌱 Bump nick-invision/retry from 2.8.0 to 2.8.1 by @dependabot in #2130
- 🌱 github actions cleanup and set to get the latest go available by @cpanato in #2135
- 🌱 Limit access to registered checks by @spencerschrock in #2134
- ✨ support for SLSA provenance in Signed-Release by @laurentsimon in #2131
- ✨ Feature: Improve Dependabot detection through PRs by @qequ in #2125
- ✨ Support OneFuzz in fuzzing checks by @balteravishay in #2141
- 🐛 Fix bug 2051 by @varunsh-coder in #2140
- 🌱 Bump actions/cache from 3.0.6 to 3.0.7 by @dependabot in #2139
- ✨ Favor SLSA provenance over plain signature in Signed-Release by @laurentsimon in #2144
- 🌱 Bump step-security/harden-runner from 1.4.4 to 1.4.5 by @dependabot in #2148
- ✨ Scorecard returns a non-zero exit code if any check has a runtime error by @spencerschrock in #2133
- 🌱 Bump cloud.google.com/go/bigquery from 1.37.0 to 1.38.0 by @dependabot in #2149
- 🐛 Add scorecard-action to the security-events allowlist in Token Permissions check by @spencerschrock in #2153
- 🐛 Remove duplicate projects with different casings by @azeemshaikh38 in #2155
- 🐛 Detect recently created Github repositories by @raghavkaul in #2151
- ✨ Unflag the
--commit
option by @azeemshaikh38 in #2156 - Use generic generator for SLSA by @laurentsimon in #2146
- 🌱 Upgrade to go 1.18 by @naveensrinivasan in #2143
- 🌱 Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 by @dependabot in #2167
- 🐛 Fix remediation text when Scorecard is run multiple times within a program by @spencerschrock in #2168
- 🌱 Update scorecard-action to v2:alpha by @azeemshaikh38 in #2171
- ✨ Use sha256 for release hashes by @laurentsimon in #2172
New Contributors
- @qequ made their first contribution in #2125
- @balteravishay made their first contribution in #2141
Full Changelog: v4.5.0...v4.6.0
v4.5.0
Changelog
- 69eb1cc Fix a bug in cron API data exporting (#2112)
- 89163cc 🌱 Bump google.golang.org/protobuf from 1.28.0 to 1.28.1
- 6813ed1 🌱 Bump google.golang.org/protobuf in /tools (#2110)
- 1e0e44a 🐛 Bug fixing: recurring results of the scorecard fuzzing check for go built-in fuzzers (#2101)
- 8118e5d 🌱 Bump golang.org/x/tools from 0.1.11 to 0.1.12
- 384c79d 🌱 Bump actions/stale from 5.1.0 to 5.1.1 (#2106)
- 5fa7596 Scorecard runs fail with any unrecognized steps (#2103)
- d7cb711 Fix bug in Scorecard analysis CI (#2099)
- c581062 Enable Scorecard badge (#2097)
- 4f30e02 🌱 Bump sigstore/cosign-installer from 2.4.1 to 2.5.0
- baedf84 🌱 Bump imjasonh/setup-ko from 0.4 to 0.5 (#2096)
- 93a0206 📖 Minor typos and copy-editing to checks/write.md (#2071)
- 66708ba ✨ Feature: Dependency-diff ecosystem naming convention mapping (GitHub -> OSV) (#2088)
- 8f96d6b 🌱 Bump crazy-max/ghaction-import-gpg from 5.0.0 to 5.1.0 (#2091)
- d77f59f 🌱 Bump sigstore/cosign-installer from 1.2.1 to 2.4.1 (#2021)
- b945eb3 🌱 Bump cloud.google.com/go/bigquery from 1.35.0 to 1.36.0
- 96835aa 🌱 Bump actions/stale from 5.0.0 to 5.1.0
- 1e3f325 🌱 Bump cloud.google.com/go/pubsub from 1.23.1 to 1.24.0
- e23ee84 ✨ Export Scorecards results for API (#2081)
- 30e3f64 ✨ Feature: Dependency-diff API optimize: var re-naming, removing unused JSON tags (#2090)
- 0e4f5db remove not used workflow (#2089)
- 7737dbd 🌱 Bump github.com/google/go-containerregistry
- c15a2e6 🌱 Bump github.com/onsi/gomega from 1.19.0 to 1.20.0
- 7c91203 🌱 Naveen Company updated. (#2082)
- 096cbd0 ✨ Use crane to add hash suggestion to unpinned Docker images (#2037)
- a905d66 fix: invalid documentation link (#2073)
- 4bd1692 🐛 Bug fixing: Using the wrong URI to initialize the repo in Dependencydiff (#2072)
- 10681da ✨ Feature DependencyDiff (Version 0 Part 2) (#2046)
- dd8fbc0 ✨ Binary artifact exception for gradle-wrapper.jar when using validation action (#2039)
- f1b182a 🌱 Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (#1998)
- 4394ac9 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2
- 59c06f0 🌱 Bump ossf/scorecard-action from 1.1.0 to 1.1.2
- a3de23c 🌱 Bump github.com/google/go-containerregistry (#2003)
- 7c9bb1c 🌱 Bump distroless/base from
d65ac1a
toe672eb7
(#1994) - 838f62f ✨ Add raw results for Token-Permissions (#1912)
- 2b8c7b4 🌱 Bump github.com/jszwec/csvutil from 1.7.0 to 1.7.1 (#2013)
- e1c3ab0 🌱 Bump cloud.google.com/go/bigquery from 1.34.1 to 1.35.0 (#2034)
- 4ff5b2b 🌱 Bump actions/cache from 3.0.4 to 3.0.5 (#2049)
- 287ee7d 🌱 Bump actions/dependency-review-action from 2.0.2 to 2.0.4 (#2054)
- f61ed37 🌱 Adjust 'exhaustive' linter to consider 'default' as exhaustive (#2044)
- 5d9d75b 🌱 Bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 (#2035)
- 6b8cfb2 🌱 Bump golang.org/x/tools from 0.1.10 to 0.1.11 (#1993)
- 220c49d 🌱 Bump actions/setup-go from 3.2.0 to 3.2.1 (#2040)
- 63e40ae Add a number of new projects to scan. (#2043)
- 0af8781 1 (#2031)
- dd780a5 ✨ Feature DependencyDiff CLI (Version 0 Part 1) (#2030)
- e608741 🌱 Bump step-security/harden-runner from 1.4.3 to 1.4.4
- 90ed090 🌱 Build/test fixes: Install protoc and protoc-gen-go (#2038)
- 9fecf63 🌱 Bump github.com/rhysd/actionlint from 1.6.13 to 1.6.15 (#2012)
- 48291a3 Use the proper repo for lombok. (#2029)
- f3e21fa 🌱 Bump actions/cache from 3.0.3 to 3.0.4 (#1988)
- f1dfbcb 🌱 Bump actions/dependency-review-action from 1.0.2 to 2.0.2
- 6a84f97 🌱 Bump cloud.google.com/go/bigquery from 1.32.0 to 1.34.1 (#2006)
- bc12ba6 🌱 Workaround for Protoc failures in GH Actions (#2025)
- 3430f78 small fixes (#2015)
- e7faa8f Fix broken link (#2004)
- 445d7ba Fix bug in
docker run scorecard version
(#1991) - 2fb4093 🌱 Bump cloud.google.com/go/pubsub from 1.21.1 to 1.23.1 (#2014)
- 3957460 update (#2011)
- 6a032a3 ✨ Check for Mach-O binaries in Binary Artifacts (#2000)
Thanks for all contributors!
v4.4.0
What's Changed
- 🌱 Bump github.com/caarlos0/env/v6 from 6.9.2 to 6.9.3 by @dependabot in #1973
- 🌱 Bump actions/cache from 3.0.2 to 3.0.3 by @dependabot in #1974
- 🌱 Signing scorecard images using cosign by @naveensrinivasan in #1970
- 🌱 Included Stargazers over time by @naveensrinivasan in #1971
- 🌱 Replace
clients.Contributor
withclients.User
by @azeemshaikh38 in #1957 - ✨ Raw results for Packaging check by @laurentsimon in #1913
- ✨ Silence scorecard warning by @laurentsimon in #1977
- ✨ Raw results for Pinned-Dependencies by @laurentsimon in #1932
- 📖 Fix cron related documentation by @lehors in #1986
- ✨ SLSA provenance/build by @laurentsimon in #1702
- ✨ Support user-defined fuzz functions (GoLang) in fuzzing check by @aidenwang9867 in #1979
- ✨ Add Language struct and optimize result parsing for GHClient.ListProgrammingLanguages by @aidenwang9867 in #1992
Full Changelog: v4.3.1...v4.4.0