10 Pull requests merged by 4 people

• :seedling: Convert Dangerous Workflow check to probes

  #3521 merged Nov 6, 2023

• :seedling: Bump github.com/spf13/cobra from 1.7.0 to 1.8.0

  #3644 merged Nov 6, 2023

• :bug: remove probe remediations from detail strings

  #3642 merged Nov 3, 2023

• :seedling: Bump cloud.google.com/go/bigquery from 1.56.0 to 1.57.1

  #3638 merged Nov 2, 2023

• :seedling: Bump github.com/onsi/gomega from 1.28.1 to 1.29.0

  #3624 merged Nov 1, 2023

• :seedling: Bump github.com/go-git/go-git/v5 from 5.9.0 to 5.10.0

  #3623 merged Nov 1, 2023

• :seedling: Bump github.com/go-logr/logr from 1.2.4 to 1.3.0

  #3622 merged Nov 1, 2023

• :seedling: Bump github.com/docker/docker from 24.0.6+incompatible to 24.0.7+incompatible in /tools

  #3628 merged Nov 1, 2023

• :seedling: Bump github.com/docker/docker from 24.0.4+incompatible to 24.0.7+incompatible

  #3627 merged Nov 1, 2023

• 🌱 Update stale workflow to exempt Structured Results milestone

  #3634 merged Nov 1, 2023

8 Pull requests opened by 3 people

• :seedling: Add dependency remediation in raw results instead of at log time

  #3632 opened Oct 31, 2023

• :seedling: Bump kubernetes-sigs/kubebuilder-release-tools from 0.4.0 to 0.4.2

  #3637 opened Nov 2, 2023

• :seedling: Bump github.com/google/osv-scanner from 1.4.2 to 1.4.3

  #3639 opened Nov 2, 2023

• :seedling: scdiff: Add workflow to run `scdiff` against PRs on demand

  #3640 opened Nov 2, 2023

• :seedling: Bump golang.org/x/text from 0.13.0 to 0.14.0

  #3643 opened Nov 6, 2023

• :seedling: Bump github.com/golangci/golangci-lint from 1.55.1 to 1.55.2 in /tools

  #3645 opened Nov 6, 2023

• :seedling: Bump actions/dependency-review-action from 3.1.0 to 3.1.1

  #3646 opened Nov 6, 2023

• :seedling: Bump tj-actions/changed-files from 39.2.3 to 40.1.0

  #3647 opened Nov 6, 2023

10 Issues closed by 2 people

• Feature: crowdsourcing scorecard run via GitHub action

  #1144 closed Nov 6, 2023

• Feature - Scorecard should sign releases with cosign

  #1201 closed Nov 6, 2023

• Feature: remove 1 point per unpinned action

  #1343 closed Nov 6, 2023

• Feature: speed up Validate check in pre-submits

  #1377 closed Nov 6, 2023

• scdiff: investigate result format

  #3360 closed Nov 3, 2023

• Scorecard - GitHub bot account

  #1729 closed Nov 3, 2023

• Use Kubernetes `release-notes` tool for releases

  #1677 closed Nov 2, 2023

• Extend Vulnerabilities check with https://github.com/github/advisory-database

  #1707 closed Nov 2, 2023

• Is there a way to influence a score by providing a proof of what's claimed as absent on a scorecard?

  #3626 closed Oct 31, 2023

• ? values in default ASCII table format are translated to -1 in JSON format

  #2425 closed Oct 31, 2023

1 Issue opened by 1 person

• findings: values should be exported consts owned by the probe

  #3641 opened Nov 2, 2023

84 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• :seedling: Migrate Maintained check to probes

  #3507 commented on Nov 3, 2023 • 36 new comments

• :seedling: Convert SAST check to probes

  #3571 commented on Nov 6, 2023 • 26 new comments

• Feature: mis-configured OIDC

  #3629 commented on Nov 2, 2023 • 9 new comments

• 🐛 Pinned-Dependencies continues on error

  #3515 commented on Nov 6, 2023 • 6 new comments

• Feature: Don't penalize Go projects for not "packaging" to a registry

  #2493 commented on Nov 6, 2023 • 4 new comments

• 📖 Added beginner's guide to scorecard checks docs

  #3617 commented on Nov 1, 2023 • 4 new comments

• Feature request: Add new check for developer education

  #3534 commented on Nov 1, 2023 • 3 new comments

• :seedling: convert CITest check to probes

  #3621 commented on Nov 1, 2023 • 3 new comments

• Feature: do not filter `testdata` in results once we have raw result support is landed

  #1428 commented on Nov 4, 2023 • 2 new comments

• Feature: Add support for CVS

  #920 commented on Nov 7, 2023 • 2 new comments

• BUG: checks Signed-Releases and Packaging returning `?` when the repo actually has releases on GitHub

  #2763 commented on Oct 31, 2023 • 1 new comment

• Why

  #3625 commented on Oct 31, 2023 • 1 new comment

• BUG: CITest evaluation documentation inconsistent with implementation

  #3616 commented on Oct 31, 2023 • 1 new comment

• Feature: dangerous CI

  #3630 commented on Nov 1, 2023 • 1 new comment

• Enhancement proposal process

  #1727 commented on Nov 2, 2023 • 1 new comment

• Feature: use `go-git`

  #1709 commented on Nov 2, 2023 • 1 new comment

• Command line unit test

  #1693 commented on Nov 2, 2023 • 1 new comment

• Feature: Create a scorecard API

  #1683 commented on Nov 2, 2023 • 1 new comment

• Reduce the number of permissions we look for

  #1667 commented on Nov 2, 2023 • 1 new comment

• Create multiple SARIF results for each branch protection settings

  #1626 commented on Nov 2, 2023 • 1 new comment

• Feature - Pin dependencies - add support for gclient DEPS file

  #1597 commented on Nov 2, 2023 • 1 new comment

• [UMBRELLA] Review/expand contribution guidance

  #1553 commented on Nov 2, 2023 • 1 new comment

• Add rationales for every criterion

  #1550 commented on Nov 2, 2023 • 1 new comment

• Feature: granular remediation hints per Warning

  #1522 commented on Nov 2, 2023 • 1 new comment

• Feature: unit test need to verify Logger messages

  #1509 commented on Nov 2, 2023 • 1 new comment

• Feature: Dependency-Update-Tool should check whether tools are available

  #1726 commented on Nov 3, 2023 • 1 new comment

• Feature: Is there a way to check score based on risk levels

  #1706 commented on Nov 3, 2023 • 1 new comment

• Yarn lock support

  #1652 commented on Nov 3, 2023 • 1 new comment

• Move to cron to a separate repository

  #1648 commented on Nov 3, 2023 • 1 new comment

• Detect more unpinned golang commands

  #1606 commented on Nov 3, 2023 • 1 new comment

• SAST - Recognize Clang Tidy as a SAST tool

  #1585 commented on Nov 3, 2023 • 1 new comment

• Feature: Check that CODEOWNERS is up to date

  #1554 commented on Nov 3, 2023 • 1 new comment

• Add branch protection settings

  #1563 commented on Nov 3, 2023 • 1 new comment

• DISCUSSION: v5 milestone

  #1490 commented on Nov 3, 2023 • 1 new comment

• Feature: Detect if SBOMs generated

  #1476 commented on Nov 3, 2023 • 1 new comment

• Feature: add Scorecard to OSS-Fuzz and CIFuzz

  #1389 commented on Nov 3, 2023 • 1 new comment

• Feature: support for GCB's cloud build in Dependencies-Pinning

  #1503 commented on Nov 4, 2023 • 1 new comment

• Feature: use .gitignore for binary-artifacts when --local is used

  #1499 commented on Nov 4, 2023 • 1 new comment

• Feature: add support for all unpinned npm commmands

  #1469 commented on Nov 4, 2023 • 1 new comment

• Feature: encourage developers to share SAST results

  #1427 commented on Nov 4, 2023 • 1 new comment

• Feature: add support for keyless signed release

  #1417 commented on Nov 4, 2023 • 1 new comment

• add ability to pass ignore list

  #1406 commented on Nov 4, 2023 • 1 new comment

• Feature: add linter check

  #1380 commented on Nov 4, 2023 • 1 new comment

• Feature: add check for vulnerability alerts

  #1371 commented on Nov 4, 2023 • 1 new comment

• Feature: generate SBOMs for scorecard container images

  #1366 commented on Nov 4, 2023 • 1 new comment

• Feature: auto rebase of PRs

  #1358 commented on Nov 4, 2023 • 1 new comment

• Feature: remove support for table output

  #1351 commented on Nov 4, 2023 • 1 new comment

• Feature: more robust way of logging errors in sub-checks

  #1327 commented on Nov 4, 2023 • 1 new comment

• Calculate risk based on score of the check

  #1321 commented on Nov 4, 2023 • 1 new comment

• Feature: enable branch protection on pull request for GitHub action

  #1271 commented on Nov 4, 2023 • 1 new comment

• Feature: provide an ignore list for Binary-Artifact check in GitHub action

  #1270 commented on Nov 4, 2023 • 1 new comment

• Feature: SAST tool run on PR should count more than those run after merge

  #1268 commented on Nov 5, 2023 • 1 new comment

• Feature: Separate check for policy/score evaluation

  #1245 commented on Nov 5, 2023 • 1 new comment

• Feature: separate common shell utility function from `shell_download_validate.go`

  #1220 commented on Nov 5, 2023 • 1 new comment

• Feature - Record scorecard card scans into Rekor

  #1200 commented on Nov 5, 2023 • 1 new comment

• Feature - Managed make parser

  #1194 commented on Nov 5, 2023 • 1 new comment

• Feature - Vendor dependencies for hermetic builds

  #1188 commented on Nov 5, 2023 • 1 new comment

• Make Packaging check 'job'-aware

  #1100 commented on Nov 5, 2023 • 1 new comment

• Scorecard should try to earn a CII Best Practices badge

  #1032 commented on Nov 5, 2023 • 1 new comment

• Feature: licensing check looks for ecosystem file's license

  #3168 commented on Nov 6, 2023 • 1 new comment

• Feature: Pin dependencies for other CI/CD

  #994 commented on Nov 6, 2023 • 1 new comment

• Feature - Security Scan

  #966 commented on Nov 6, 2023 • 1 new comment

• Granular `Vulnerabilities` check

  #935 commented on Nov 6, 2023 • 1 new comment

• How can contributors result be trusted, people can create fake organizations

  #859 commented on Nov 7, 2023 • 1 new comment

• Feedback on Scorecard result data

  #792 commented on Nov 7, 2023 • 1 new comment

• New check: signed commits

  #779 commented on Nov 7, 2023 • 1 new comment

• ✨ New probes: code-review

  #3302 commented on Nov 2, 2023 • 1 new comment

• :sparkles: Feat/branch protection recognize rule changes only through pr

  #3499 commented on Nov 7, 2023 • 1 new comment

• :seedling: convert binary artifact check to probe

  #3508 commented on Nov 2, 2023 • 1 new comment

• :seedling: convert CII Best Practices check to probes

  #3520 commented on Nov 3, 2023 • 1 new comment

• :seedling: convert Webhook check to probes

  #3522 commented on Nov 2, 2023 • 1 new comment

• :book: Add direct link to scorecard viewer

  #3529 commented on Nov 2, 2023 • 1 new comment

• convert Signed Releases to probes

  #3610 commented on Nov 6, 2023 • 1 new comment

• Feature: re-visit outcome definition in findings

  #2928 commented on Oct 31, 2023 • 0 new comments

• Improve Score Reporting: Signed-Releases looks at old release data

  #2169 commented on Oct 31, 2023 • 0 new comments

• Improve Score Reporting: Binary-Artifact filetype detection is not reliable

  #2163 commented on Oct 31, 2023 • 0 new comments

• Improve Score Reporting: Branch-Protection check fails with -1

  #2161 commented on Oct 31, 2023 • 0 new comments

• BUG: contributor checks does not validate number of companies per contributor

  #1024 commented on Oct 31, 2023 • 0 new comments

• e2e tests: use ginkgo's `--flake-attempts` flag instead of `nick-invision/retry`

  #2897 commented on Oct 31, 2023 • 0 new comments

• Feature: improve packaging

  #688 commented on Oct 31, 2023 • 0 new comments

• Feature: maintainer annotation

  #1907 commented on Oct 31, 2023 • 0 new comments

• Feature: Document what languages the check supports

  #3615 commented on Oct 31, 2023 • 0 new comments

• Feature: Add Scorecard GitHub Action results to the BigQuery database

  #2558 commented on Nov 1, 2023 • 0 new comments

• Split fuzzing checks in two: continuous fuzzing & fuzzers present

  #3475 commented on Nov 1, 2023 • 0 new comments