Description
This release of Scorecard provides bug fixes, enhancements and new features and many other changes. The project remains available via a docker image.
Release Notes
New code features and enhancements
- A new Scorecard GitHub Action
- New checks: License and Dangerous-Workflow
- Improved scoring system for complex checks like Branch-Protection, Token-Permissions
- Improved Fuzzing check to support ClusterFuzzLite
- Added support for new SAST tools like LGTM and SonarCloud in SAST check
- Support for local code repository (using
--localoption) - Improved parsing of GitHub workflows
- Improved test coverage
- Scaled weekly cron job repos to analyze ~1M projects
Scaling
- Weekly scans for ~1M GitHub repos with critical ecosystems dependencies from deps.dev.
- Weekly scan results are available in a BigQuery table in the JSON format.
LTS
- Complying with the v3 release announcement, the format of the weekly scans remains unchanged and will be available at least until the end of 2022.
Contributors
Huge thanks to all community contributors
@laurentsimon, @naveensrinivasan, @chrismcgehee, @azeemshaikh38, @asraa, @olivekl, @evverx, @developer-guy, @oliverchang, @varunsh-coder, @david-a-wheeler, @imjasonh, @nanikjava, @JamieMagee, @lehors, @r0mdau, @cpanato, @dota17, @Juneezee,
New Contributors
- @varunsh-coder made their first contribution in #1326
- @dota17 made their first contribution in #1341
- @lehors made their first contribution in #1312
- @JamieMagee made their first contribution in #1378
- @imjasonh made their first contribution in #1392
Mailing lists
- Stay updated with new releases and other announcements by joining ossf-scorecard-announce@googlegroups.com.
- Ask questions, get access to design docs, etc. by joining ossf-scorecard-dev@googlegroups.com.
Full Changelog: v3.0.0...v4.0.0