Skip to content

Releases: ossf/scorecard

v4.10.2

21 Dec 21:53
376f465
Compare
Choose a tag to compare

What's Changed

Bug fixes

New Contributors

Full Changelog: v4.10.1...v4.10.2

v4.10.1

18 Dec 16:08
v4.10.1
6c5d964
Compare
Choose a tag to compare

Changelog

  • 6c5d964 🐛 Fix broken go mod download check (#2550)
  • a71b47e ✨ Add support for RequiresLastPushReview in Branch Protection for GitHub (#2492)
  • 746b6e9 🐛 Ensure CODEOWNERS file exists for corresponding Branch-Protection check (#2463)

Thanks for all contributors!

v4.9.1

18 Dec 16:06
v4.9.1
6c5d964
Compare
Choose a tag to compare

Changelog

  • 6c5d964 🐛 Fix broken go mod download check (#2550)
  • a71b47e ✨ Add support for RequiresLastPushReview in Branch Protection for GitHub (#2492)
  • 746b6e9 🐛 Ensure CODEOWNERS file exists for corresponding Branch-Protection check (#2463)

Thanks for all contributors!

v4.10.0

13 Dec 23:40
93ef087
Compare
Choose a tag to compare

What's Changed

Check improvements

Cron improvements

CLI

Documentation

  • 📖 Use scorecard (singular) consistently by @lehors in #2428
  • 📖 Use new project name in Copyright notices by @lehors in #2505
  • 📖 Fix copyright notices by @lehors in #2514
  • 📖 Mention 2FA relevance although not checked by Scorecard by @joycebrum in #2528
  • 📖 Clarify CII-Best-Practices score for each badge by @hugovk in #2313

BinAuthZ support (WIP)

GitLab support (WIP)

New Contributors

Full Changelog: v4.8.0...v4.10.0

v4.9.0

13 Dec 22:37
20cc4ee
Compare
Choose a tag to compare
v4.9.0 Pre-release
Pre-release

What's Changed

Check improvements

Cron improvements

CLI

Documentation

  • 📖 Use scorecard (singular) consistently by @lehors in #2428
  • 📖 Use new project name in Copyright notices by @lehors in #2505
  • 📖 Fix copyright notices by @lehors in #2514
  • 📖 Mention 2FA relevance although not checked by Scorecard by @joycebrum in #2528
  • 📖 Clarify CII-Best-Practices score for each badge by @hugovk in #2313

BinAuthZ support (WIP)

GitLab support (WIP)

New Contributors

Full Changelog: v4.8.0...v4.9.0

v4.8.0

17 Oct 18:37
v4.8.0
c408592
Compare
Choose a tag to compare

Changelog

  • c408592 Adjusted to max score with warning if job content are set to write (#2355)
  • 78c7e83 🌱 Bump golang.org/x/text from 0.3.7 to 0.3.8 (#2358)
  • b12b093 README formatting fix (#2356)
  • 36d6a34 Note that LGTM service is deprecated. (#2339)
  • 7f214bf 🌱 Bump actions/dependency-review-action from 2.4.0 to 2.4.1 (#2345)
  • 3eab4dd 📖 Clarifications about the pinned dependencies check (#2319)
  • 9b9006e Return unknown commit SHA for local repos. (#2342)
  • 83db8ba 🌱 Bump github/codeql-action from 2.1.26 to 2.1.27 (#2336)
  • 2b8ced3 🌱 Fixup: list GitHub check runs of MergeRequest.HeadSHA instead of Commit.SHA (#2333)
  • 53e9246 🌱 Migrate to go 1.19 (#2332)
  • 4e85d07 🌱 Bump github.com/goreleaser/goreleaser in /tools
  • 7992368 Remove line continuations in all run steps. (#2335)
  • 4b99a3a 📖 Create the Frequently Asked Questions Document (#2327)
  • ae75d43 🌱 Bump github.com/golangci/golangci-lint in /tools (#2331)
  • b4d97f9 🌱 Bump actions/checkout from 3.0.2 to 3.1.0 (#2324)
  • 2c16c8f 🌱 Bump actions/cache from 3.0.8 to 3.0.10 (#2322)
  • b491f40 🌱 Bump github/codeql-action from 2.1.24 to 2.1.26
  • 9b4a675 🌱 Bump step-security/harden-runner from 1.4.5 to 1.5.0 (#2316)
  • 29893ae 🌱 Split CI-Tests check into a raw and evaluation section (#2291)
  • 347c2a8 Add tests for getBucketSummary. (#2310)
  • ac55bf4 🐛 Prevent partial cron transfers caused by controller failures (#2308)
  • 01b69d2 Fix scoring issue with Code Review check (#2292)
  • 4693747 🌱 Bump sigstore/cosign-installer from 2.6.0 to 2.7.0 (#2300)
  • 37d873d 🌱 Bump actions/dependency-review-action from 2.2.0 to 2.4.0
  • d4b44e5 🌱 Remove check-osv (#2303)
  • c3a7921 fix arg typo (#2304)
  • a694cc9 Fix k8s yaml errors and document how to prevent them. (#2298)

Thanks for all contributors!

v4.7.0

26 Sep 16:29
v4.7.0
7cd6406
Compare
Choose a tag to compare

Changelog

  • 7cd6406 Reduce build target radius (#2293)
  • a7a503a 🌱 cron: pass config as an argument to binaries (4/n) (#2279)
  • 97df43b 🌱 Reduce the number of PR's opened by dependabot (#2297)
  • 88e5ff7 Improve API limiting and cache (#2294)
  • f017e2e Fix typo which was causing index out of range panics (#2284)
  • 08c2ee5 Modify tool installation (#2288)
  • 0f87094 ✨ Gitlab support (#2265)
  • a6983ed Fix failing linters (#2281)
  • 7c24934 🌱 Fix cosign vulnerability (#2283)
  • a298132 🌱 Bump actions/dependency-review-action from 2.1.0 to 2.2.0 (#2282)
  • 9a9a1cb 🐛 Add fix for issue2277 (#2278)
  • d75dea8 🌱 Feature: Group commits into changesets (#2260)
  • 3629fd8 🌱 Bump github/codeql-action from 2.1.22 to 2.1.24
  • 9f67c4e 🌱 Invite @spencerschrock as maintainer (#2269)
  • 482a59e 🌱 Tests: Fix data race failures (#2262)
  • 2231d1f 🌱 cron: make CSV header optional (3/n) (#2261)
  • bde0ae1 🌱 cron: generalize config and create optional values for scorecard and criticality (2/n) (#2254)
  • 9e269b8 🌱 Feature: Add scorecard attestation policy module (#2240)
  • d6bef98 Wrap check errors with distinct error for scorecard-action to ignore. (#2250)
  • 856d2dd 🌱 Bump sigstore/cosign-installer from 2.5.1 to 2.6.0 (#2253)
  • d76ff0d ✨ setup-python not required by pypa/gh-action-pypi-publish (#2206)
  • 11657e4 📖 Remove trailing whitespace (#2241)
  • da785a2 Rename CII->OpenSSF Best Practices badge (#2239)
  • c665f27 🌱 cron: allow controller to read CSVs from cloud storage (1/n) (#2235)
  • 7c66ae8 🌱 Bump imjasonh/setup-ko from 0.5 to 0.6 (#2231)
  • ec15af5 🌱 Bump github/codeql-action from 2.1.21 to 2.1.22 (#2227)
  • dac68a4 🌱 Bump github.com/onsi/gomega from 1.20.1 to 1.20.2 (#2225)
  • bc5a1d6 Enable SAST check in cron by default (#2223)
  • f345807 Detect pyup as an automated dependency update tool (#2226)
  • d13ba3f 📖 Update instructions and other fixes in README (#2212)
  • 7a2c403 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.4 to 2.1.6 (#2220)
  • 3337b6c 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.4 to 2.1.6 in /tools (#2221)
  • 758cc39 Add k8s README (#2219)
  • 5ac9f39 🌱 Fix for empty repository (#2207)
  • 33ab335 🌱 Bump github.com/onsi/gomega from 1.20.0 to 1.20.1
  • 621449f ✨ Add CODEOWNERS branch protection check (#2057)
  • 6fc08e7 Allow contents: write for Token-Permissions when doing mvn release (#2202)
  • a8e9050 ✨ Optimize SAST check (#2191)
  • 11ff78e Deduplicate projects by excluding URL fragments (#2201)
  • b40efd2 🌱 Bump cloud.google.com/go/bigquery from 1.38.0 to 1.39.0
  • 9460030 Make the Scalable Scorecards document public. (#2199)
  • fb630a8 🌱 Bump github/codeql-action from 2.1.20 to 2.1.21 (#2200)
  • 64daafb 🌱 Bump cloud.google.com/go/pubsub from 1.24.0 to 1.25.1 (#2197)
  • 32d6ba2 🌱 Bump actions/setup-go from 3.2.1 to 3.3.0 (#2194)
  • 8b3793a 🌱 Bump github/codeql-action from 2.1.19 to 2.1.20 (#2187)
  • 86aa297 🌱 Bump github.com/caarlos0/env/v6 from 6.9.3 to 6.10.0 (#2188)
  • e2813b8 🌱 Bump actions/cache from 3.0.7 to 3.0.8 (#2184)
  • a4d2c01 🌱 Bump distroless/base from 49d2923 to 533c15e (#2185)
  • af2ee3d 🌱 Bump github/codeql-action from 1.0.0 to 2.1.19 (#2178)
  • 77fa781 Check for security polices in RST format at toplevel and .github as well. (#2180)
  • 2920b32 ✨ Improved license check (#2179)
  • 25fd14d 🌱 Bump actions/dependency-review-action from 2.0.4 to 2.1.0 (#2176)
  • 4a15760 Don't error on workflow parse failure in Binary-Artifacts (#2170)

Thanks for all contributors!

v4.6.0

18 Aug 22:10
2cbf5af
Compare
Choose a tag to compare

What's Changed

New Contributors

Full Changelog: v4.5.0...v4.6.0

v4.5.0

02 Aug 19:18
v4.5.0
69eb1cc
Compare
Choose a tag to compare

Changelog

  • 69eb1cc Fix a bug in cron API data exporting (#2112)
  • 89163cc 🌱 Bump google.golang.org/protobuf from 1.28.0 to 1.28.1
  • 6813ed1 🌱 Bump google.golang.org/protobuf in /tools (#2110)
  • 1e0e44a 🐛 Bug fixing: recurring results of the scorecard fuzzing check for go built-in fuzzers (#2101)
  • 8118e5d 🌱 Bump golang.org/x/tools from 0.1.11 to 0.1.12
  • 384c79d 🌱 Bump actions/stale from 5.1.0 to 5.1.1 (#2106)
  • 5fa7596 Scorecard runs fail with any unrecognized steps (#2103)
  • d7cb711 Fix bug in Scorecard analysis CI (#2099)
  • c581062 Enable Scorecard badge (#2097)
  • 4f30e02 🌱 Bump sigstore/cosign-installer from 2.4.1 to 2.5.0
  • baedf84 🌱 Bump imjasonh/setup-ko from 0.4 to 0.5 (#2096)
  • 93a0206 📖 Minor typos and copy-editing to checks/write.md (#2071)
  • 66708ba ✨ Feature: Dependency-diff ecosystem naming convention mapping (GitHub -> OSV) (#2088)
  • 8f96d6b 🌱 Bump crazy-max/ghaction-import-gpg from 5.0.0 to 5.1.0 (#2091)
  • d77f59f 🌱 Bump sigstore/cosign-installer from 1.2.1 to 2.4.1 (#2021)
  • b945eb3 🌱 Bump cloud.google.com/go/bigquery from 1.35.0 to 1.36.0
  • 96835aa 🌱 Bump actions/stale from 5.0.0 to 5.1.0
  • 1e3f325 🌱 Bump cloud.google.com/go/pubsub from 1.23.1 to 1.24.0
  • e23ee84 ✨ Export Scorecards results for API (#2081)
  • 30e3f64 ✨ Feature: Dependency-diff API optimize: var re-naming, removing unused JSON tags (#2090)
  • 0e4f5db remove not used workflow (#2089)
  • 7737dbd 🌱 Bump github.com/google/go-containerregistry
  • c15a2e6 🌱 Bump github.com/onsi/gomega from 1.19.0 to 1.20.0
  • 7c91203 🌱 Naveen Company updated. (#2082)
  • 096cbd0 ✨ Use crane to add hash suggestion to unpinned Docker images (#2037)
  • a905d66 fix: invalid documentation link (#2073)
  • 4bd1692 🐛 Bug fixing: Using the wrong URI to initialize the repo in Dependencydiff (#2072)
  • 10681da ✨ Feature DependencyDiff (Version 0 Part 2) (#2046)
  • dd8fbc0 ✨ Binary artifact exception for gradle-wrapper.jar when using validation action (#2039)
  • f1b182a 🌱 Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (#1998)
  • 4394ac9 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2
  • 59c06f0 🌱 Bump ossf/scorecard-action from 1.1.0 to 1.1.2
  • a3de23c 🌱 Bump github.com/google/go-containerregistry (#2003)
  • 7c9bb1c 🌱 Bump distroless/base from d65ac1a to e672eb7 (#1994)
  • 838f62f ✨ Add raw results for Token-Permissions (#1912)
  • 2b8c7b4 🌱 Bump github.com/jszwec/csvutil from 1.7.0 to 1.7.1 (#2013)
  • e1c3ab0 🌱 Bump cloud.google.com/go/bigquery from 1.34.1 to 1.35.0 (#2034)
  • 4ff5b2b 🌱 Bump actions/cache from 3.0.4 to 3.0.5 (#2049)
  • 287ee7d 🌱 Bump actions/dependency-review-action from 2.0.2 to 2.0.4 (#2054)
  • f61ed37 🌱 Adjust 'exhaustive' linter to consider 'default' as exhaustive (#2044)
  • 5d9d75b 🌱 Bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 (#2035)
  • 6b8cfb2 🌱 Bump golang.org/x/tools from 0.1.10 to 0.1.11 (#1993)
  • 220c49d 🌱 Bump actions/setup-go from 3.2.0 to 3.2.1 (#2040)
  • 63e40ae Add a number of new projects to scan. (#2043)
  • 0af8781 1 (#2031)
  • dd780a5 ✨ Feature DependencyDiff CLI (Version 0 Part 1) (#2030)
  • e608741 🌱 Bump step-security/harden-runner from 1.4.3 to 1.4.4
  • 90ed090 🌱 Build/test fixes: Install protoc and protoc-gen-go (#2038)
  • 9fecf63 🌱 Bump github.com/rhysd/actionlint from 1.6.13 to 1.6.15 (#2012)
  • 48291a3 Use the proper repo for lombok. (#2029)
  • f3e21fa 🌱 Bump actions/cache from 3.0.3 to 3.0.4 (#1988)
  • f1dfbcb 🌱 Bump actions/dependency-review-action from 1.0.2 to 2.0.2
  • 6a84f97 🌱 Bump cloud.google.com/go/bigquery from 1.32.0 to 1.34.1 (#2006)
  • bc12ba6 🌱 Workaround for Protoc failures in GH Actions (#2025)
  • 3430f78 small fixes (#2015)
  • e7faa8f Fix broken link (#2004)
  • 445d7ba Fix bug in docker run scorecard version (#1991)
  • 2fb4093 🌱 Bump cloud.google.com/go/pubsub from 1.21.1 to 1.23.1 (#2014)
  • 3957460 update (#2011)
  • 6a032a3 ✨ Check for Mach-O binaries in Binary Artifacts (#2000)

Thanks for all contributors!

v4.4.0

13 Jun 18:27
e42af75
Compare
Choose a tag to compare

What's Changed

Full Changelog: v4.3.1...v4.4.0