Releases: ossf/scorecard-action
v2.3.1
What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by @spencerschrock in #1282
- Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the v4.13.1 release notes
Full Changelog: v2.3.0...v2.3.1
v2.3.0
What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by @spencerschrock in #1270
- ✨ Send rekor tlog index to webapp when publishing results by @spencerschrock in #1169
- 🐛 Prevent url clipping for GHES instances by @rajbos in #1225
Documentation
- 📖 Update access rights needed to see the results in code scanning by @rajbos in #1229
- 📖 Add package comments. by @spencerschrock in #1221
- 📖 Add SECURITY.md file by @david-a-wheeler in #1250
- 📖 Fix typo in token input docs by @aabouzaid in #1258
New Contributors
- @david-a-wheeler made their first contribution in #1250
- @aabouzaid made their first contribution in #1258
Full Changelog: v2.2.0...v2.3.0
v2.2.0
What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by @spencerschrock in #1192
Scorecard Result Viewer
Thanks to contributions from @cynthia-sg and @tegioz at CLOMonitor, there is a new Scorecard Result visualization page at https://securityscorecards.dev/viewer/?uri=<project-url>
.
As an example, you can see our own score visualized here
Checkout our README to learn how to link your README badge to the new visualization page.
Publishing Results
This release contains two fixes which will improve the user experience when publish_results
is true
- Runs that fail our workflow restrictions will fail with a 400 response indicating the problem, instead of a vague 500 status. (#1156, resolved #1150)
- Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. (#1191)
Docs
- 📖 Update README to accept fine-grained tokens by @pnacht in #1175
- 📖 Update installation instructions to match current GitHub UI by @joycebrum in #1153
- 📖 Document the GitHub action workflow restrictions when publishing results. by @spencerschrock in
New Contributors
- @bobcallaway made their first contribution in #1140
- @pnacht made their first contribution in #1175
Full Changelog: v2.1.3...v2.2.0
v2.1.3
What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by @spencerschrock in #1111
Bug Fixes
- Invalid SARIF files from a bug in scorecard
- Vulnerabilities check crashes if a vulnerable dependency is found via OSVScanner
- Scorecard action not reporting binary artifacts in the repo
Full Scorecard Changelog: ossf/scorecard@v4.10.2...v4.10.5
Full Changelog: v2.1.2...v2.1.3
v2.1.2
What's Changed
Fixes
- 🌱 Bump scorecard dependency to v4.10.2 to remove a CODEOWNERS printf statement. by @spencerschrock in #1054
Full Changelog: v2.1.1...v2.1.2
v2.1.1
v2.1.0
What's Changed
Scorecard version
This release uses scorecard v4.10.0.
Improvements
- Docker build workflow by @naveensrinivasan in #981
- Use root user in distroless to support GitHub Actions by @spencerschrock in #994
- Disable pull_request_target by @laurentsimon in #1031
Documentation
- Add PAT section explaining risks by @olivekl in #1024
- Make the badge text easier to copy by @rajbos in #1026
New Contributors
- @joycebrum made their first contribution in #984
- @rajbos made their first contribution in #1026
Full Changelog: v2.0.6...v2.1.0
v2.0.6
v2.0.5
What's Changed
- Remove trailing space from example by @jamacku in #955
- 🌱 Bump actions/cache from 3.0.8 to 3.0.10 by @dependabot in #956
- 🌱 Bump github/codeql-action from 2.1.25 to 2.1.26 by @dependabot in #957
- 🌱 Bump step-security/harden-runner from 1.4.5 to 1.5.0 by @dependabot in #958
- 🌱 Bump debian from
5cf1d98
tob46fc4e
by @dependabot in #959 - 🌱 Bump github.com/sigstore/cosign from 1.12.1 to 1.13.0 by @dependabot in #962
- 🌱 Upgrade to go 1.19 by @naveensrinivasan in #961
- 🌱 Bump github.com/spf13/cobra from 1.5.0 to 1.6.0 by @dependabot in #967
- 🌱 Bump golang from
c2a98a5
tob850621
by @dependabot in #966 - 🌱 Bump golang from
b850621
to25de7b6
by @dependabot in #968 - New release for Scorecard v4.8.0 by @naveensrinivasan in #969
New Contributors
Full Changelog: v2.0.4...v2.0.5
v2.0.4
Fixes #856
What's Changed
- 🌱 Bump github.com/caarlos0/env/v6 from 6.10.0 to 6.10.1 by @dependabot in #934
- feat: do not run signing on pull requests by @laurentsimon in #935
- 🌱 Bump debian from 11.4-slim to 11.5-slim by @dependabot in #936
- 🌱 Bump github.com/sigstore/cosign from 1.11.1 to 1.12.0 by @dependabot in #938
- 🌱 Bump github/codeql-action from 2.1.22 to 2.1.24 by @dependabot in #941
- 🐛 Restore behavior of ignoring scorecard runtime errors by @spencerschrock in #948
- 🌱 Bump actions/dependency-review-action from 2.1.0 to 2.4.0 by @dependabot in #950
- 🌱 Bump github.com/sigstore/cosign from 1.12.0 to 1.12.1 by @dependabot in #947
- 🌱 Bump github/codeql-action from 2.1.24 to 2.1.25 by @dependabot in #949
- 🌱 Bump codecov/codecov-action from 3.1.0 to 3.1.1 by @dependabot in #942
- Create v2.0.4 patch by @spencerschrock in #952
New Contributors
- @spencerschrock made their first contribution in #948
Full Changelog: v2.0.3...v2.0.4