What's Changed

• There is a new --file-mode flag to control how repository files are fetched. (#4474, @spencerschrock)
  • The default method if unspecified is --file-mode archive which is what older versions of Scorecard always used.
  • --file-mode git produces the most accurate results for repositories with .gitattributes files at the cost of analysis speed. This currently only supports GitHub but can be expanded to other forges in the future.
• The Scorecard binary name in releases is now consistent across all platforms (#4520, @timothysparg)
• Scorecard now prints a warning if multiple GitHub PAT environment variables are set with different values. (#4483, @aunovis-heidrich)

Azure DevOps Support (Experimental)

There is now experimental support for Azure DevOps repositories (thanks @JamieMagee). Most checks should work, but the following checks do not: Branch-Protection, SBOM, and Signed-Releases.

To analyze a repository:

1. Set the SCORECARD_EXPERIMENTAL environment variable to any value.
2. Put your access token in the AZURE_DEVOPS_AUTH_TOKEN environment variable.

Checks

• Enabled Fuzzing, License, Packaging, SAST, and Security-Policy checks when using --local option (#4423, @lharrison13)

CI-Tests

• ✨ Add woodpecker as known CI by @6543 in #4336

Contributors

• Contributing organizations are now lexicographically sorted. (#4436, @spencerschrock)

Dangerous-Workflow

• When detecting a potential script injection in a GitHub workflow, Scorecard now adds a machine-readable patch to fix the vulnerability. This patch can be applied to your project using git apply or patch -p1 from the repository's root. The patch is currently only visible when running the hasDangerousWorkflowScriptInjection probe directly. (#4218, @pnacht)

Fuzzing

• Support detection of fuzzing in Elixir and Gleam through the import of property-based testing modules (#4408, @kikofernandez)
• Support detection of fuzzing in Erlang through the import of property-based testing modules (#4406, @kikofernandez)

License

• Updates list of supported SDPX licenses to include latest data. (#4323, @lelia)

Pinned-Dependencies

• ✨ Support Nuget Pinned Dependency with RestoreLockedMode attribute by @balteravishay in #4351
• ✨ Support Nuget Central Package Management by @balteravishay in #4369

Security-Policy

• Fixed an issue where an org's .github repository was checked for a security policy without the proper authenticated transport by @jeffmendoza in #4259

Signed-Releases

• Included links now link to the artifacts instead of the API details about the artifacts by @klbynum in #4290

Docs

• 📖 Fix typo in branch protections details by @martincostello in #4270
• 📖 Updated Scorecard link in README.md by @Wavyeli32 in #4262
• 📖 Mention rulesets for GitHub Branch-Protection remediation by @pethers in #4316
• 📖 explicitly state both check documentation files are committed by @spencerschrock in #4317
• 📖 clarify project goals and non-goals by @spencerschrock in #4318
• 📖 governance: Add Incubation application submission by @justaugustus in #4200
• 📖 Fix SBOM-Everywhere link by @evankanderson in #4334
• 📖 governance: Add meeting note archives from 2021 through 2024 by @justaugustus in #4482

New Contributors

• @Wavyeli32 made their first contribution in #4262
• @klbynum made their first contribution in #4290
• @6543 made their first contribution in #4336
• @evankanderson made their first contribution in #4334
• @kikofernandez made their first contribution in #4406
• @lharrison13 made their first contribution in #4423
• @renewitt made their first contribution in #4476
• @aunovis-heidrich made their first contribution in #4483
• @timothysparg made their first contribution in #4520

Full Changelog: v5.0.0...v5.1.0