Releases: developer-guy/scorecard
Releases · developer-guy/scorecard
v4.10.4
Changelog
- 1bda2b7 feature: enable verification for provenance
- dfc2439 🌱 Bump github/codeql-action from 2.2.6 to 2.2.7
- 1f3f9ef 🌱 Bump gocloud.dev from 0.26.0 to 0.29.0 (ossf#2722)
- e2715fd ✨ GitLab: Security Policy check (ossf#2754)
- 9831629 Increase recordings, switch API, and lower tolerance (ossf#2760)
Thanks for all contributors!
feature/2747
Initial implementation of go-git client (#2720) Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
v3.2.1
Changelog
- 47866ad feat: release homebrew formulae
- be9a623 Update the Risk of dangerous-workflow (ossf#1361)
- 5043cbc CI-Tests: no longer fail if there are no check suites (ossf#1335)
- 1aac7aa ✨ update log msg for non-pinned actions (ossf#1370)
- 063d384 move dir (ossf#1367)
- 023eab6 ✨ Ignore local actions that are not pinned (ossf#1357)
- 38b5199 🐛 Adding line numbers to token-permissions and a couple other places (ossf#1363)
- 1eb4d0e Fix deadlink for security policy
- b323cde 🐛 checks.yml not sync'ed with checks.md (ossf#1360)
- afe55a8 🐛 Disable pinning lock file search in repo (ossf#1315)
- 9f7e682 CI-Check: add SemaphoreCI and Packit-as-a-Service (ossf#1293)
- 84d169b Use updated clients for
local(ossf#1355) - aed5116 ✨ Cleanup Branch Protection and add e2e tests (ossf#1344)
- 3eb2e5a license (ossf#1350)
- b8d7a6b make critical (ossf#1348)
- 45b5a35 ✨ Add new checking for license file availability (ossf#1178)
- 8cb4804 ✨ Update action names (ossf#1346)
- c3c017b npm ci only (ossf#1314)
- 938c637 rem audio files (ossf#1300)
- 9ab2b20 Update verify.yml (ossf#1325)
- aa558ff Add parallelism to improve build times (ossf#1342)
- 4d6f2b6 Relax releasetest constraints (ossf#1330)
- 3cf8b2b docs: be more specific about what Dependabot brings with it (ossf#1336)
- ce08025 🌱 Fixed the opencontainer image-spec vuln
- 83ea9bf Fix faulty shell file handling (ossf#1312)
- 2d6bf97 fix (ossf#1331)
- fb3d483 ✨ Only run license check and not everything (ossf#1333)
- 6a7e314 1.Add the check Dangerous-Workflow 2.Fix the typo of rubygems
- f9b9773 🌱 Secure workflow stale.yml (ossf#1326)
- de0cfbe Add a validation step for goreleaser
- a500ba9 fix doc (ossf#1332)
- 736f2e2 ✨ Allow pip install with --require-hashes only (ossf#1313)
- fd67ddf 🌱 update dangerous workflow to use actionlint (ossf#1328)
- 9b600bd Skip pinned dependencies check for template Dockerfiles (ossf#1324)
- 2d8ec84 Get OSes from matrix.include if present (ossf#1323)
- 23b0ddb fix (ossf#1316)
- 67c5e93 fix (ossf#1318)
- fd87314 ✨ Update score for branch protection with levels (ossf#1287)
- 9d29765 Signed-Releases: really look for *.sign files (ossf#1298)
- 730076f 🐛 fix dangerous workflow test and workflow parsing (ossf#1283)
- 10ee2c0 Use
pull_request_target+ protected env for e2e (ossf#1308) - 6e7e13e 🌱 Fix vulnerabilities in dependencies
- 5025299 Fix issues with CII client (ossf#1309)
- 08a7876 Run
Dangerous-Workflowin release tests (ossf#1301) - 89b316c Use blob-based CII client in cron job (ossf#1284)
- 9878c4e Randomize the repos tested during release test (ossf#1299)
- e15e7b1 More nilptr issues (ossf#1296)
- b4e3205 ci: drop trailing whitespaces (ossf#1292)
- 8fae5b1 Fix more nil-ptr dereferences (ossf#1295)
- 0339eea 🌱 Fix integration test runs (ossf#1286)
- 2375ae2 Add a OssFuzzRepoClient (ossf#1280)
- 0b32cc3 Fix broken e2e tests (ossf#1291)
- 0bd5756 Binary-Artifacts: no longer complain about ".bin" files (ossf#1288)
- cc49494 ✨ [Check split]: Binary-Artifacts (ossf#1244)
- 4bd24b8 Including line number: Dockerfile FROM not pinned (ossf#1258)
- 86835fc 🐛 Fix branch protection results (ossf#1252)
- a05ac54 🐛 Fix the reproducible builds (ossf#1282)
- 71e8698 Add a cron job to copy CII badges data (ossf#1278)
- 4502dfb ✨ Reduce false positives in Token-Permissions for contents permission (ossf#1253)
- 63e3b92 fix (ossf#1277)
- 1050b1c ✨ Add dangerous workflow check with untrusted code checkout pattern (ossf#1168)
- 4dde356 Fix nil-ptr dereference (ossf#1269)
- 5950fde 🐛 fix special character in search query to fix fuzzing check (ossf#1241)
- 72e20a0 Add
repoClient.Closefor all e2e tests (ossf#1265) - 6223b66 Add CIIClient interface (ossf#1262)
- d490455 CI-Test: stop assuming either "statuses" or "check runs" are used (ossf#1259)
- 16cd53d
make installwas not installing to GOPATH - 51de6b6 Check for issue activity in Maintained (ossf#1251)
- 1775025 🌱 Move from io/ioutil to io and os packages (ossf#1250)
- c8d2a51 Ignore nil values in Branch-Protection check (ossf#1243)
- ab2bb20 Fix nil-ptr access bug (ossf#1248)
- 9dfac39 Fix the way diff is shown (ossf#1249)
- 46611ea Security-Policy: really look for the security policy
- 795505f ✨ Remove isScorecardRepo (ossf#1236)
- 5524c97 SAST: no longer skip "neutral" checks (ossf#1237)
- 6a2fb2e Add LGTM to the SAST check (ossf#1232)
- ae271b4 🐛 Validate doc on pre-submit (ossf#1235)
- 929fd6e deterministic sarif gen (ossf#1233)
- 4fbd0fe Adding Chris as facilitator
- 09b7b3b ✨ Pull request support for GitHub action (ossf#1222)
- 3dc507b Using library to parse github workflows
- f319aca Moving github worflow parsing to its own file
- b3ac52a PR support (ossf#1227)
- 4ee366e 🌱 Move docker build checks to ko (ossf#1214)
- 67f070f remove action (ossf#1223)
- af594d3 spelling (ossf#1219)
- ddd770a 📖 Updated the community links (ossf#1216)
- 2006be1 🐛 Token permission check was failing on non-yaml files
- 6562cc1 🌱 Bump actions/checkout from 2.3.5 to 2.4.0
- 8805ac5 ✨ Add
--localoption to CLI (ossf#1211) - 59edb12 🐛 Use only olivekl@ in CODEOWNER (ossf#1212)
- 8a83a81 ✨ Validate check.yaml's repo interface support (ossf#1210)
- 257d99e 🌱 Fixed the failing tests
- a6d298a ✨ Use checks.yaml to store which repo types are supported by each check (ossf#1195)
- ff316e1 🐛 Removed the Binary Artifact
- 1cc8601 📖 Included the meeting minutes (ossf#1202)
- d3796f2 ✨ Add ClusterFuzzLite to Fuzzing check. (ossf#1166)
- 69f9774 Store metadata in BigQuery (ossf#1197)
- c751120 🌱 Reproducible builds in goreleaser (ossf#1198)
- a53245a 🐛 Fix broken e2e tests for Binary Artifacts
- 83649a7 Remove
repospackage (ossf#1191) - 148446b 🌱 Bump distroless/base in /cron/controller (ossf#1192)
- 52ce50c 🌱 Bump distroless/base in /cron/worker (ossf#1193)
- 6467b31 📖 Update CODEOWNERS (ossf#1189)
- ed2ef29 🌱 Bump distroless/base in /cron/webhook (ossf#1177)
- 92dff66 🌱 Bump distroless/base from
56d73a6to46d4514(ossf#1176) - 1385528 Remove Repo CPU runtime stat logging (ossf#1186)
- 1db0f97 Sanitized repo URLs ~1M (ossf#1182)
- b08a4a8 Increase worker replicas (ossf#1173)
- 6088669 🐛 Fix ListFiles caching in localrepo client (ossf#1190)
- 8735961 Update shard naming to allow for 1M+ shards (ossf#1170)
- c73c562 Fix GitHub workflows failing (ossf#1172)
- 4cca9b4 ✨ Implement local repo client for local folders (ossf#1146)
- d9e35cd 🐛 Fix flaky tests in cron/data/add (ossf#1185)
- 0ba864e Avoid panic in code (ossf#1171)
- 53ae583 Remove obviously invalid URLs from porjects.csv (ossf#1165)
- aa634bd 🌱 Fixes the broken e2e
- fd238d0 🌱 Fix goreleaser permission and flags
- 1b88587 🌱 Fix CVE warning for containerd
- 6f1a43a 🌱 add google/ko support for building/pusing container image (ossf#1127)
- faab696 Improve formatting, readability
- c13783a 🐛 Fixing parsing for Github workflow when matrix is an expression
- 6f1a1cb 📖 Update README.md (ossf#1160)
- 311d2e2 🌱 Reproducible builds with static binary
- c3d51a7 🌱 Included arm64 release for darwin (ossf#1157)
- 3d9c599 🌱 fix TestGetRepoURLs tests (ossf#1158)
- 54f1429 🌱 Fixed typo administrator
- 950e0e3 ✨ Add support for file-based repo URIs (ossf#1113)
- 0d299c2 Increase number of workers and 600k repos (ossf#1150)
- 96140f9 Add exponential backoff to CII badge check (ossf#1147)
- f38abc0 🌱 Bump actions/checkout from 1 to 2.3.5 (ossf#1137)
- c26bea6 📖 Minor fixes to markdown links (ossf#1141)
- b8eba24 Improve logging messages (ossf#1140)
- b387432 🌱 Bump goreleaser/goreleaser-action from 2.7.0 to 2.8.0 (ossf#1136)
- a020b16 🌱 Bump crazy-max/ghaction-import-gpg from 4.0.0 to 4.1.0
- 146dc85 Use token server in prod cron job (ossf#1135)
- 5ec7b26 Fix
connection refusederrors (ossf#1134) - da94c7c 📖 Update Install command for version 3 (ossf#1125)
- 89cae3a Use GitHub auth server in cron release test (ossf#1133)
- 66f8640 Add GitHub token server (ossf#1132)
- cf9399a 🐛 Fixing parsing errors for github workflows (ossf#1131)
- 3233e4f 🌱 Bump github.com/onsi/ginkgo from 1.16.4 to 1.16.5