v2.4.0

What's Changed

This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the v5.0.0 release notes. Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation.

• 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0 by @spencerschrock in #1410
• 🐛 lower license sarif alert threshold to 9 by @spencerschrock in #1411

Documentation

• docs: dogfooding badge by @jkowalleck in #1399

New Contributors

• @jkowalleck made their first contribution in #1399

Full Changelog: v2.3.3...v2.4.0

v2.3.3

Note

There is no v2.3.2 release as a step was skipped in the release process. This was fixed and re-released under the v2.3.3 tag

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 (v4.13.1) to github.com/ossf/scorecard/v5 (v5.0.0-rc1) by @spencerschrock in #1366
• 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to v5.0.0-rc2 by @spencerschrock in #1374
• 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0-rc2.0.20240509182734-7ce860946928 by @spencerschrock in #1377

For a full changelist of what these include, see the v5.0.0-rc1 and v5.0.0-rc2 release notes.

Documentation

• 📖 Move token discussion out of main README. by @spencerschrock in #1279
• 📖 link to ossf/scorecard workflow instead of maintaining an example by @spencerschrock in #1352
• 📖 update api links to new scorecard.dev site by @spencerschrock in #1376

Full Changelog: v2.3.1...v2.3.3

v2.3.1

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by @spencerschrock in #1282
  • Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the v4.13.1 release notes

Full Changelog: v2.3.0...v2.3.1

v2.3.0

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by @spencerschrock in #1270
  • For a full changelist of what this includes, see the v4.12.0 and v4.13.0 release notes
• ✨ Send rekor tlog index to webapp when publishing results by @spencerschrock in #1169
• 🐛 Prevent url clipping for GHES instances by @rajbos in #1225

Documentation

• 📖 Update access rights needed to see the results in code scanning by @rajbos in #1229
• 📖 Add package comments. by @spencerschrock in #1221
• 📖 Add SECURITY.md file by @david-a-wheeler in #1250
• 📖 Fix typo in token input docs by @aabouzaid in #1258

New Contributors

• @david-a-wheeler made their first contribution in #1250
• @aabouzaid made their first contribution in #1258

Full Changelog: v2.2.0...v2.3.0

v2.2.0

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by @spencerschrock in #1192

Scorecard Result Viewer

Thanks to contributions from @cynthia-sg and @tegioz at CLOMonitor, there is a new Scorecard Result visualization page at https://securityscorecards.dev/viewer/?uri=<project-url>.

• ossf/scorecard-webapp#406
• ossf/scorecard-webapp#422

As an example, you can see our own score visualized here
Checkout our README to learn how to link your README badge to the new visualization page.

Publishing Results

This release contains two fixes which will improve the user experience when publish_results is true

• Runs that fail our workflow restrictions will fail with a 400 response indicating the problem, instead of a vague 500 status. (#1156, resolved #1150)
• Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. (#1191)

Docs

• 📖 Update README to accept fine-grained tokens by @pnacht in #1175
• 📖 Update installation instructions to match current GitHub UI by @joycebrum in #1153
• 📖 Document the GitHub action workflow restrictions when publishing results. by @spencerschrock in

New Contributors

• @bobcallaway made their first contribution in #1140
• @pnacht made their first contribution in #1175

Full Changelog: v2.1.3...v2.2.0

v2.1.3

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by @spencerschrock in #1111

Bug Fixes

• Invalid SARIF files from a bug in scorecard
  • #1076, #1094
• Vulnerabilities check crashes if a vulnerable dependency is found via OSVScanner
  • #1092
• Scorecard action not reporting binary artifacts in the repo
  • #1116

Full Scorecard Changelog: ossf/scorecard@v4.10.2...v4.10.5

Full Changelog: v2.1.2...v2.1.3

v2.1.2

What's Changed

Fixes

• 🌱 Bump scorecard dependency to v4.10.2 to remove a CODEOWNERS printf statement. by @spencerschrock in #1054

Full Changelog: v2.1.1...v2.1.2

v2.1.1

Scorecard version

This release use Scorecard's v4.10.1

Full Changelog: v2.1.0...v2.1.1

v2.1.0

What's Changed

Scorecard version

This release uses scorecard v4.10.0.

Improvements

• Docker build workflow by @naveensrinivasan in #981
• Use root user in distroless to support GitHub Actions by @spencerschrock in #994
• Disable pull_request_target by @laurentsimon in #1031

Documentation

• Add PAT section explaining risks by @olivekl in #1024
• Make the badge text easier to copy by @rajbos in #1026

New Contributors

• @joycebrum made their first contribution in #984
• @rajbos made their first contribution in #1026

Full Changelog: v2.0.6...v2.1.0

v2.0.6

What's Changed

• Fix - Broken dockerfile by @naveensrinivasan in #979

Full Changelog: v2.0.5...v2.0.6