Skip to content

Releases: ossf/scorecard

v2.2.8

27 Sep 20:19
3cbe7b2
Compare
Choose a tag to compare

Changelog

3cbe7b2 Consistent -ldflags across go build (#1070)
06c14a6 Minor fixes to README.md (#1066)
6b9010e changes (#1062)
2c16597 Fix GitVersion in cron job (#1065)
1d3f3e3 gpg-private-key in goreleaser (#1064)
9df865c Regenerate docs/checks.md (#1061)
42e2b98 🌱 Bump actions/github-script from 4.1.0 to 4.1.1
0074111 Fix CodeReview bug (#1058)
fb77e42 ✨ Per-check score threshold for SARIF (#1057)
0686ed2 🐛 Fix invalid code review (#1055)
aa93ac2 Modify the text to acknowledge GitHub != universe (#1037)
5655cbb ✨ Add aggregate score to cron JSON (#1050)
b9daae1 🐛 Update message for Code-Review (#1054)
91eb41e 🌱 Check for OSV for a go.mod changes (#1053)
075cf0c 150k+ repos and num_dependents_deps.dev metadata (#1052)
5d6a7cd ✨ Add policy file (#1002)
90332a9 🌱 Add counting of shell parsing errors (#1026)
44dd10d 📖 Olivekl patch 1 (#1039)
d4caef0 🌱 Fix GO-2020-0020 (#1047)
14dc32f Enforce non-concurrent token usage (#1048)
5fb87cb 🌱 Bump golang.org/x/tools from 0.1.5 to 0.1.6 (#1041)
39bd00c ✨ Add aggregated score (#1046)
fd6e58d 🌱 Fixes GO-2020-0017 OSV (#1045)
51e11e6 🌱 Fix GO-2021-0089 vulnerability
bc5d7a8 📖 Improve text on Packaging (#1035)
ea77ab7 fix prev PR (#1033)
45fb779 📖 Improve explanation about multiple reviewers (and their lack) (#1017)
34b97e3 ✨ Update k8's transfer releasetest-v2 (#1023)
e1a6e7d 📖 Fixed the docs for dependabot
9e81b5f 📖 Fixed the dependabot check message
30cae86 📖 Warn when checks are prone to false negatives (#1019)
1e4f723 🌱 Fixes permission for main.yml action
8b7da7c 📖 Improve rationale for Binary-Artifacts (#1016)
646b339 Explain that active maintenance isn't always needed (#1013)
6868fe6 Note that pinning is a way to mitigate dependency confusion (#1012)
6fb92a3 add version for cron (#1011)
afb01f4 Fix CII Best Practices badge info (#1010)
aa2ed45 📖 Docs: Pinned dependency doc 2 (#1004)
6178207 ✨ Update cron's JSON format (#1001)
b6cd4cf Fix CONTRIBUTING.md for doc updates 📖 (#1007)
a5a6a30 README.md: Add hyperlinks to docs/checks.md (#1008)
b0fab3f code (#1006)
4c4fb61 🌱 Bump cloud.google.com/go/pubsub from 1.16.0 to 1.17.0 (#992)
0590b03 ✨ change message to make it more easier for user (#1003)
ba53081 Tweak "pinned dependency" discussion (#999)
cc044ca 🌱 Bump go.uber.org/zap from 1.19.0 to 1.19.1 (#993)
bc37c74 Remove Owner/Repo strings from CheckRequest (#997)
e730e91 sce.Create -> sce.WithMessage for wrapcheck (#995)
1cb8c06 Bug in Makefile generate-docs (#996)
d6174db semantic version (#991)
af24ed4 🌱 Included codeql check for GitHub Actions (#988)
870db56 Cleanup documentation code (#981)
1da121d ✨ Give low importance to github-owned actions (#802) (#906)
576447a 🌱 Fix the jwt finding
924d4d5 📖 Update README.md (#976)
2b15b13 🌱 Moving tools dependencies to separate go.mod
1c7ba79 🐛 Github workflow steps run on Windows should default to pwsh as its shell (#877)
a3d63bf 🌱 Updated actions permission for codeql (#964)
942c4cf 🌱 Bump crazy-max/ghaction-import-gpg from 3.2.0 to 4 (#971)
0aa4305 🌱 Bump github.com/golangci/golangci-lint from 1.42.0 to 1.42.1 (#973)
5476b87 ✨ Removed unnecessary linters (#969)
f220924 🌱 Bump distroless/base in /cron/worker
29b7bd3 Parsing GitHub Workflows should only happen on yaml files
2ae8910 📖 Fixed the deadlink to the documentation (#963)
fda87a4 Fixed typo reepo to repo
f55b86d 🌱 Bump peter-evans/slash-command-dispatch from 2.2.1 to 2.3.0 (#955)
e30d9e5 🌱 Bump gocloud.dev from 0.23.0 to 0.24.0 (#956)
b847d54 🌱 Bump distroless/base in /cron/controller (#961)
0620758 Updated go get to go install (#953)

v2.2.3

03 Sep 14:51
7b912e8
Compare
Choose a tag to compare

Changelog

7b912e8 Return DefaultBranch as part of ListBranches (#960)
830c4f5 100k cron job repos (#958)
afe5b40 Make RepoClient as default interface for Scorecard (#951)
1434977 :sparkling: Upgraded to go 1.17
eceb577 Add and use RepoClient API for ListStatuses (#949)
eb2b3b2 Add RepoClient API for ListCheckRunsForRef (#948)
8f5e742 ✨ Improve JSON format (#934)
b5e4c77 🌱 Bump distroless/base from 19d927c to a74f307 (#945)
992775e 🌱 Bump distroless/base in /cron/webhook (#946)
dcbf752 🌱 Bump cloud.google.com/go/bigquery from 1.21.0 to 1.22.0 (#939)
dcbfb3c Fix syntax bug in CloudBuild YAML (#947)
df2acb4 Add COMMIT_SHA to Scorecard docker image (#944)
d6b6012 Specify fractions instead of percentage (#943)
99b9c91 Use RepoClient API for Packaging check (#940)
bb6e010 ✨ Decouple scorecard json from cron json (#941)
001ba67 🌱 Bump github.com/jszwec/csvutil from 1.5.0 to 1.5.1
d6ba2cd Fix #890 (#938)
e305a94 Use ListReleases API for BranchProtection check (#937)
9a1978a Use RefUpdateRule in BranchProtection check (#936)
d9f5209 Update test utils (#933)
dbb2345 ✨ Add line number to unpinned dependency: GitHub workflow "uses" field (#821)
ee6acdd Syntax bug in k8s file (#931)
915bad8 🌱 Bump distroless/base in /cron/worker
95c2df2 🌱 Bump distroless/base from bc84925 to 19d927c in /cron/bq (#926)
51016ea 🌱 Bump cloud.google.com/go/pubsub from 1.15.0 to 1.16.0 (#904)
c1edcea Use a completion threshold for BQ transfers (#930)
f40fa63 🌱 Included race flag to tests (#921)
d9b4188 🌱 Bump distroless/base in /cron/webhook
5b74c04 🌱 Bump distroless/base in /cron/controller
fe54c51 Only call GitHub APIs when needed (#918)
c9a617b 📖 Expand "Motivation" section (#924)
37696ac Create and use MockRepoClient in unit tests (#922)
50fd921 🌱 Fix the dependabot settings
f2afdba 🌱 Bump actions/setup-go from 2.1.3 to 2.1.4
b93f385 🌱 Bump distroless/base from ccbc79c to 19d927c
788fd33 ✨ Add JSON unit tests (#915)
e083f04 🐛 Fix date cron issue (#914)
d8e49e0 Remove unwanted dependencies (#913)
9eb7929 🐛 Address friction logs' comments (#899)
1c7c1e3 Fix bug in shardNum calculation (#910)
2d65ab4 Remove ErrRepoUnavailable (#908)
b89808f Pin protoc by SHA (#909)
e73f08e Fix nil ptr dereference (#907)
cc30d54 Use arduino/setup-protoc for installing Protoc (#903)
8cf95c4 Use singleton pattern for OSS-Fuzz (#902)
41d0ce3 Replace errors.As with Is (#901)
46a655d Fixes for Branch Protection (#900)
7bc2e00 🌱 Bump peter-evans/find-comment from 1.2.0 to 1.3.0 (#893)
ad134ac ✨ Add hash to results (JSON, SARIF) (#892)
6403eb1 ✨ Transition Packaging, SAST, Security-policy, Signed-releases check to the new structured detail format (#887)
b731f45 ✨ Transition Vulnerabilities, Permissions, CI-Tests, Dependency-Update-Tool, Code-Reviews to structured details (#889)
27c5821 Update README.md (#888)
aea1249 Add ephemeral-storage to cron worker (#885)
276155d ✨ SARIF 4: Add support to output SARIF format (#866)
d1de6cf support v3 (#883)
bb70e15 Remove token-heavy checks from cron job (#882)
77a4160 🌱 Bump github.com/onsi/gomega from 1.15.0 to 1.16.0 (#879)
b7c0d03 Handle GitHub repos with redirects (#876)
42700ee 🌱 Bump actions/github-script from 4.0.2 to 4.1
c73b28f ✨ fix: add github.com as default for owner/repo parameter (#872)
c54d77b 🐛 Only validate shell scripts supported by our parser (#862)
04e8bcf 🌱 Bump cloud.google.com/go/bigquery from 1.20.1 to 1.21.0 (#870)
1c9a255 Update docs to use :stable release (#865)
fa4e8a4 🌱 Bump github.com/golangci/golangci-lint from 1.41.1 to 1.42.0 (#869)
e7d9ec5 🌱 Bump cloud.google.com/go/pubsub from 1.14.0 to 1.15.0 (#858)
63a8fc7 Nil pointer dereference (#864)
cf01ea6 Fix nil pointer dereference bug (#860)
dbdcd4b ✨ SARIF 1: add structured detail (#843)
0a0d292 ✨ SARIF 3: add flag to yaml (#853)
13ef9dd Use RepoClient.Search API in SAST check (#857)
23764f0 ✨ Upload cron results to a table with new format (#830)
b3a3f7e ✨ SARIF 2: add short description to checks.yml (#848)
7233742 🌱 Bump go.uber.org/zap from 1.18.1 to 1.19.0 (#834)
42ee430 Use RepoClient API for Fuzzing (#855)
4c585f2 Fix nil pointer bug (#856)
8baaaa4 Use RepoClient API for Contributors check (#854)
b7ddc9a Update go-github version for consistency (#852)
d4701c4 Delete Signed-Tags check from Scorecard (#851)
29fbdae Enable automated e2e testing and releases (#850)
3f9431d Update SignedReleases to use RepoClient API (#844)
e160d4a 📖 Fixed the typos and rephrased some (#849)
7790d70 Use consistent golang image across Dockerfiles (#847)
cc312f2 ✨ feature: branch protection without admin token (#823)
a10baab 🌱 Bump golang from 5cdc91c to 3c4de86 (#846)
cbc556f Append changelog to new releases (#838)
eeb563b Update SAST and CITest with Repoclient API (#842)
5bcc1fd populate old details (#841)
977c2b8 Log runtime failures in cron job (#840)
20370f7 🐛 Look for organisation default .github security.md files in all the locations they are allowed to be in (#837)
ee8e402 🌱 Bump github.com/google/go-containerregistry (#832)
4fcb0a3 Fix a bug in flag parsing (#836)
0f6cbc1 🌱 Bump cloud.google.com/go/pubsub from 1.13.0 to 1.14.0 (#833)
6cc4135 Remove false log statement (#835)
bbf99ad 🌱 Bump cloud.google.com/go/bigquery from 1.19.0 to 1.20.1 (#820)
0561c15 Post to webhook on successful cron job completion (#829)
bc67dd3 Create a webhook for tagging Docker images (#828)
ce7d4c3 Update BQ query in README.md (#831)
a2e34ed 🌱 Bump crazy-max/ghaction-import-gpg from 3.1.0 to 3.2.0
ef9880c 🌱 Implemented ignore for license check

v2.1.3

09 Aug 19:29
0c55af5
Compare
Choose a tag to compare
v2.1.3

v2.1.2

06 Aug 20:32
7f71928
Compare
Choose a tag to compare
v2.1.2

v2.1.1

02 Aug 17:35
30bb119
Compare
Choose a tag to compare
v2.1.1

v2.1.0

26 Jul 21:44
8128f9f
Compare
Choose a tag to compare
v2.1.0

v2.0.0

29 Jun 17:44
5dd7f11
Compare
Choose a tag to compare
v2.0.0

v1.2.0

17 Mar 22:23
7ff09db
Compare
Choose a tag to compare
v1.2.0

v1.1.1

17 Feb 23:04
Compare
Choose a tag to compare

Scorecard v1.1.1 release notes

Changes since v1.1.0

  • The scorecard releases are signed with gpg keys 🔑
  • Scorecard adds json response to the http endpoints.
  • This release included scanning of 2000 additional GitHub repositories.
  • The docker image of scorecard is published at GitHub Docker registry.
  • The dependent libaries were upgraded github.com/spf13/cobra from 1.1.1 to 1.1.2 and github.com/spf13/cobra from 1.1.2 to 1.1.3
  • There were improvements to the e2e testing.
  • The minor bug fixes to the existing scans.

Thanks to all our contributors! 😊

v1.1.0

08 Feb 18:30
Compare
Choose a tag to compare

Changelog

7ab314d Fix - dependabot githubactions location
bcf8d0d Fix - dependabot yaml error
4ad4a42 Feature - enabled dependabot for githubactions
f385b0d Feature - run scans from npm pacakge name
0d77d89 Fix - tarball URL trailing slash
038e3b6 Bump github.com/onsi/gomega from 1.10.4 to 1.10.5
717701b Bump github.com/onsi/ginkgo from 1.14.2 to 1.15.0
8493b0b Add remediation steps for various checks.
93373f7 Fixes - Incorrect result for branch protection
2a1463b Feature - Report codecoverage to codecov.io
09b83b9 Fixes
33e9189 fix - panic on nil
c00aa4b Add e2e tests for remaining checks.
bcaa2e7 Lint fix.
b5096bf Fix backslash.
b278475 Fix CodeQL failure.
5b7ddc5 Add e2e test.
dc8d1fe Add packaging check.
c4c99cd feature - Included the e2e into the PR workflows
91bfea5 feat - Close stale issues
1d26654 Document - Included instruction for GITHUB_AUTH_TOKEN
1700c3a feature - Pull request template (#127)
b11fad8 feature - Included the status badge in README (#125)
7b740ce fix - Handle nil structs in branch protection (#124)
9d4e5c0 feature - CODEOWNERS for github branch protection feature (#123)
fcf0ac4 Merge pull request #119 from naveensrinivasan/feature/protected-branches
3191c55 Update README.md
938b9f2 Merge branch 'main' into feature/protected-branches
b506c6f Merge pull request #122 from ossf/b5
650fe0a Update README.md
3c94ffa Remove releases from active check.
5d84b86 Merge branch 'main' into feature/protected-branches
b86fae0 Fix #121
9ce57c0 feature - Checks for branch protections
15a1ba0 feat - nonroot docker container (#114)
9e0388f Merge pull request #118 from naveensrinivasan/feature/update-readme
c5c51b9 feature - Update the CONTRIBUTING guidelines
b216a1e Feat - implemented goreleaser for releases (#117)
f77da77 feat-e2e tests for signed tags and signed releases (#115)
3df1191 Create Dependabot config file (#116)
ddc82c6 Add --show-details to the cron job. (#113)
329a4cf Merge pull request #109 from moorereason/release-tagname
88d5218 Use release tag name instead of name in log messages
a239820 Merge pull request #108 from moorereason/iss95-ci-tests
39464a5 Refactor CI-Tests to show negative results
7937da4 Merge pull request #103 from naveensrinivasan/fix/golangrun-ci-issue
9b1e28e Merge pull request #106 from ossf/b3
2d348a7 Merge pull request #105 from naveensrinivasan/feat/makefile
91780fd Allow skipping scheme, fix regression.
a56f707 Feat - Implemented Makefile and actions for PR
06f2616 fix - golangci-lint issues
c308663 Merge pull request #102 from naveensrinivasan/fix/shellcheck
3de6a1b fix - shellcheck violations for cron.sh
6549ecc Create codeql-analysis.yml (#101)
f7cb4d7 Merge pull request #100 from naveensrinivasan/fix/http-path
4362368 Tests updated to include validation for parsing
fd3a2a8 fix - URL with trailing slash
6b80b78 Merge pull request #98 from moorereason/iss95
ac55575 Adjust details logging on a few checks
348bedb Show negative results in Signed-Releases details
eb0d488 Show negative results in Signed-Tags details
4ec34e9 Show negative results to Pull-Requests details
1991617 Merge pull request #94 from ossf/b3
7a10bed Improve SAST check.
c5abb92 Merge pull request #91 from ossf/a12
87d6954 Merge pull request #92 from ossf/b1
0bcd8ea Improve fuzzing check.
ab2c9d4 Add support for yarn, composer in frozen deps check.
983e406 Merge pull request #90 from dlorenc/moreprojects
cd16def Add 50 Google projects.