What's Changed
- ✨ Enhancement: adding new entries for GH actions & Pub as ecosystems, typo fixes by @aidenwang9867 in #2109
- feat: Add pom.xml support for sonarype SAST by @laurentsimon in #2114
- ✨ Enhancement: Dependency-diff API optimization - changing the input param changeType from a map to an array by @aidenwang9867 in #2111
- 🌱 Bump gocloud.dev from 0.25.0 to 0.26.0 by @dependabot in #2121
- 🌱 Bump nick-invision/retry from 2.6.0 to 2.8.0 by @dependabot in #2122
- 📖 Include an example query for the public BigQuery dataset by @spencerschrock in #2123
- 🌱 Bump actions/cache from 3.0.5 to 3.0.6 by @dependabot in #2127
- 🌱 Bump cloud.google.com/go/bigquery from 1.36.0 to 1.37.0 by @dependabot in #2126
- 🌱 Bump nick-invision/retry from 2.8.0 to 2.8.1 by @dependabot in #2130
- 🌱 github actions cleanup and set to get the latest go available by @cpanato in #2135
- 🌱 Limit access to registered checks by @spencerschrock in #2134
- ✨ support for SLSA provenance in Signed-Release by @laurentsimon in #2131
- ✨ Feature: Improve Dependabot detection through PRs by @qequ in #2125
- ✨ Support OneFuzz in fuzzing checks by @balteravishay in #2141
- 🐛 Fix bug 2051 by @varunsh-coder in #2140
- 🌱 Bump actions/cache from 3.0.6 to 3.0.7 by @dependabot in #2139
- ✨ Favor SLSA provenance over plain signature in Signed-Release by @laurentsimon in #2144
- 🌱 Bump step-security/harden-runner from 1.4.4 to 1.4.5 by @dependabot in #2148
- ✨ Scorecard returns a non-zero exit code if any check has a runtime error by @spencerschrock in #2133
- 🌱 Bump cloud.google.com/go/bigquery from 1.37.0 to 1.38.0 by @dependabot in #2149
- 🐛 Add scorecard-action to the security-events allowlist in Token Permissions check by @spencerschrock in #2153
- 🐛 Remove duplicate projects with different casings by @azeemshaikh38 in #2155
- 🐛 Detect recently created Github repositories by @raghavkaul in #2151
- ✨ Unflag the
--commitoption by @azeemshaikh38 in #2156 - Use generic generator for SLSA by @laurentsimon in #2146
- 🌱 Upgrade to go 1.18 by @naveensrinivasan in #2143
- 🌱 Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 by @dependabot in #2167
- 🐛 Fix remediation text when Scorecard is run multiple times within a program by @spencerschrock in #2168
- 🌱 Update scorecard-action to v2:alpha by @azeemshaikh38 in #2171
- ✨ Use sha256 for release hashes by @laurentsimon in #2172
New Contributors
- @qequ made their first contribution in #2125
- @balteravishay made their first contribution in #2141
Full Changelog: v4.5.0...v4.6.0