Releases: ossf/scorecard-action
Releases · ossf/scorecard-action
v2.4.1
v2.4.1
This tag was signed with the committer’s verified signature.
spencerschrock
Spencer Schrock
What's Changed
- This update bumps the Scorecard version to the v5.1.1 release. For a complete list of changes, please refer to the v5.1.0 and v5.1.1 release notes.
- Publishing results now uses half the API quota as before. The exact savings depends on the repository in question.
- use Scorecard library entrypoint instead of Cobra hooking by @spencerschrock in #1423
- Some errors were made into annotations to make them more visible
- There is now an optional
file_modeinput which controls how repository files are fetched from GitHub. The default isarchive, butgitproduces the most accurate results for repositories with.gitattributesfiles at the cost of analysis speed.- add input for specifying
--file-modeby @spencerschrock in #1509
- add input for specifying
- The underlying container for the action is now hosted on GitHub Container Registry. There should be no functional changes.
- 🌱 publish docker images to GitHub Container Registry by @spencerschrock in #1453
Docs
- Installation docs update by @JeremiahAHoward in #1416
New Contributors
- @JeremiahAHoward made their first contribution in #1416
- @jsoref made their first contribution in #1459
Full Changelog: v2.4.0...v2.4.1
Contributors
jsoref, spencerschrock, and JeremiahAHoward
Assets 2
v2.4.0
v2.4.0
This tag was signed with the committer’s verified signature.
spencerschrock
Spencer Schrock
What's Changed
This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the v5.0.0 release notes. Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation.
- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0 by @spencerschrock in #1410
- 🐛 lower license sarif alert threshold to 9 by @spencerschrock in #1411
Documentation
- docs: dogfooding badge by @jkowalleck in #1399
New Contributors
- @jkowalleck made their first contribution in #1399
Full Changelog: v2.3.3...v2.4.0
Contributors
jkowalleck and spencerschrock
Assets 2
v2.3.3
v2.3.3
This tag was signed with the committer’s verified signature.
spencerschrock
Spencer Schrock
Note
There is no v2.3.2 release as a step was skipped in the release process. This was fixed and re-released under the v2.3.3 tag
What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 (v4.13.1) to github.com/ossf/scorecard/v5 (v5.0.0-rc1) by @spencerschrock in #1366
- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to v5.0.0-rc2 by @spencerschrock in #1374
- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0-rc2.0.20240509182734-7ce860946928 by @spencerschrock in #1377
For a full changelist of what these include, see the v5.0.0-rc1 and v5.0.0-rc2 release notes.
Documentation
- 📖 Move token discussion out of main README. by @spencerschrock in #1279
- 📖 link to
ossf/scorecardworkflow instead of maintaining an example by @spencerschrock in #1352 - 📖 update api links to new scorecard.dev site by @spencerschrock in #1376
Full Changelog: v2.3.1...v2.3.3
Contributors
spencerschrock
Assets 2
v2.3.1
v2.3.1
This tag was signed with the committer’s verified signature.
spencerschrock
Spencer Schrock
What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by @spencerschrock in #1282
- Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the v4.13.1 release notes
Full Changelog: v2.3.0...v2.3.1
Contributors
spencerschrock
Assets 2
v2.3.0
v2.3.0
This tag was signed with the committer’s verified signature.
spencerschrock
Spencer Schrock
What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by @spencerschrock in #1270
- ✨ Send rekor tlog index to webapp when publishing results by @spencerschrock in #1169
- 🐛 Prevent url clipping for GHES instances by @rajbos in #1225
Documentation
- 📖 Update access rights needed to see the results in code scanning by @rajbos in #1229
- 📖 Add package comments. by @spencerschrock in #1221
- 📖 Add SECURITY.md file by @david-a-wheeler in #1250
- 📖 Fix typo in token input docs by @aabouzaid in #1258
New Contributors
- @david-a-wheeler made their first contribution in #1250
- @aabouzaid made their first contribution in #1258
Full Changelog: v2.2.0...v2.3.0
Contributors
david-a-wheeler, spencerschrock, and 2 other contributors
Assets 2
v2.2.0
v2.2.0
This tag was signed with the committer’s verified signature.
spencerschrock
Spencer Schrock
What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by @spencerschrock in #1192
Scorecard Result Viewer
Thanks to contributions from @cynthia-sg and @tegioz at CLOMonitor, there is a new Scorecard Result visualization page at https://securityscorecards.dev/viewer/?uri=<project-url>.
As an example, you can see our own score visualized here
Checkout our README to learn how to link your README badge to the new visualization page.
Publishing Results
This release contains two fixes which will improve the user experience when publish_results is true
- Runs that fail our workflow restrictions will fail with a 400 response indicating the problem, instead of a vague 500 status. (#1156, resolved #1150)
- Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. (#1191)
Docs
- 📖 Update README to accept fine-grained tokens by @pnacht in #1175
- 📖 Update installation instructions to match current GitHub UI by @joycebrum in #1153
- 📖 Document the GitHub action workflow restrictions when publishing results. by @spencerschrock in
New Contributors
- @bobcallaway made their first contribution in #1140
- @pnacht made their first contribution in #1175
Full Changelog: v2.1.3...v2.2.0
Contributors
tegioz, cynthia-sg, and 4 other contributors
Assets 2
v2.1.3
v2.1.3
This tag was signed with the committer’s verified signature.
spencerschrock
Spencer Schrock
What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by @spencerschrock in #1111
Bug Fixes
- Invalid SARIF files from a bug in scorecard
- Vulnerabilities check crashes if a vulnerable dependency is found via OSVScanner
- Scorecard action not reporting binary artifacts in the repo
Full Scorecard Changelog: ossf/scorecard@v4.10.2...v4.10.5
Full Changelog: v2.1.2...v2.1.3
Contributors
spencerschrock
Assets 2
v2.1.2
v2.1.2
This tag was signed with the committer’s verified signature.
spencerschrock
Spencer Schrock
What's Changed
Fixes
- 🌱 Bump scorecard dependency to v4.10.2 to remove a CODEOWNERS printf statement. by @spencerschrock in #1054
Full Changelog: v2.1.1...v2.1.2
Contributors
spencerschrock
Assets 2
v2.1.1
v2.1.0
What's Changed
Scorecard version
This release uses scorecard v4.10.0.
Improvements
- Docker build workflow by @naveensrinivasan in #981
- Use root user in distroless to support GitHub Actions by @spencerschrock in #994
- Disable pull_request_target by @laurentsimon in #1031
Documentation
- Add PAT section explaining risks by @olivekl in #1024
- Make the badge text easier to copy by @rajbos in #1026
New Contributors
- @joycebrum made their first contribution in #984
- @rajbos made their first contribution in #1026
Full Changelog: v2.0.6...v2.1.0
Contributors
naveensrinivasan, spencerschrock, and 4 other contributors