ossf/scorecard v5.3.0

on GitHub

What's Changed

General

• 🐛 Scorecard now skips dangling symlinks and detects symlink path traversal when run on local files. Note: Scorecard has always skipped all symlinks when run against a remote repository. (#4785, @spencerschrock)
• ✨ The scorecard serve command was refactored and fixed. It accepts HTTP requests, analyzes the repo, and returns the result over HTTP. by @Fix3dP0int in #4665

scorecard serve # will start serving on localhost:8080
curl http://localhost:8080?repo=github.com/ossf/scorecard&show_details=true
{"date":"2025-09-30T09:08:38-06:00","repo":{"name":"github.com/ossf/scorecard","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"scorecard":{"version":"devel","commit":"unknown"},"score":9.5 # rest omitted

Checks

Branch-Protection

• 🐛 Prevent ListReleases from failing a run for forges which don't support the operation (#4677, @JamieMagee)
• 🐛 Skip tag-only rulesets during Branch-Protection by @trask in #4699

Contributors

• 🐛 Fixed a nil pointer dereference in the Contributors check for GitHub repos analyzed with --file-mode=git (#4705, @spencerschrock)

Dangerous-Workflow

• ✨ Scorecard detects dangerous use of discussion title and body. (#4719, @AdamKorcz)
• ✨ Scorecard detects dangerous use of blocked_user.name and blocked_user.email (#4720, @AdamKorcz)

Fuzzing

• ✨ feat(jsx): support fuzzing in jsx files #4663 by @dsm23 in #4664

Packaging

• 🐛 remove setup-go requirement for Packaging with goreleaser by @AdamKorcz in #4673
• ✨ Support Elixir packaging workflows (#4684, @AdamKorcz)

Pinned-Dependencies

• 🐛 Check for unpinned reusable workflow calls. (#4681, @AdamKorcz)
• 🐛 Support git URLs for calls to npm install. (#4680, @AdamKorcz)
• 🐛 Fixed a bug where URLs with surrounding quotes weren't being parsed (#4736, @Fix3dP0int)
• 🐛 Fixed a bug when looking up digests for unpinned docker image remediations. (#4683, @AdamKorcz)
• 🐛 Docker args are now evaluated when determining if container images are pinned. (#4780, @spencerschrock)
• 🐛 Files downloaded from a pinned GitHub reference are now marked as pinned even when downloaded across multiple commands by @spencerschrock in #4777

SAST

• 🐛 Fixed a bug where SAST probes would dereference a nil pointer(#4675, @AdamKorcz)
• ✨ add support for hadolint SAST by @AdamKorcz in #4688

Signed-Releases

• 🐛 Signed-Releases now detects signatures ending with .sigstore.json (#4728, @mark-adams)

Security-Policy

• ✨ Start recognizing escaped emails in security policy documents (#4676, @ralphbean)

Token-Permissions

• ✨ Add zizmorcore/zizmor-action to allow-list for use of security-events: write. (#4758, @martincostello)

Docs

• 📖 Capitalization and punctuation in CONTRIBUTING.md by @dcaine125 in #4714
• 📖 Docs improvements for package manager flags in README.md file by @jakbrownbytes in #4732
• 📖 document missing cron checks in README by @spencerschrock in #4707
• 📖 Rephrased the CI-Test description. by @kailealee in #4708
• 📖 Separated command and output in README by @devon3583 in #4731
• 📖 spelling fixes by @scop in #4750
• 📖 add error clarification for github branch protection errors by @spencerschrock in #4778
• 📖 Fix typo in TODO comment by @deivid-rodriguez in #4801

Other

• 🌱 move from golang/mock to uber/gomock by @tylerauerbeck in #4645
• 🌱 chore: add apache-maven by @Ndacyayisenga-droid in #4666
• 🌱 Add unit tests to cover collectPolicyHits by @ralphbean in #4674
• 🌱 security: pin GitHub Actions to commit hashes by @harekrishnarai in #4678
• 🌱 limit webhook payload size to 1024 bytes by @spencerschrock in #4700
• 🌱 add test cases for author name and email by @AdamKorcz in #4721
• 🌱 avoid unnecessary []byte to string conversions by @spencerschrock in #4539
• 🌱 cron: repair gitlab project list by @spencerschrock in #4658
• 🌱 add awslabs/mcp project to public data feed by @scottschreckengaust in #4739
• 🌱 cron: treat orgs with IP allowlist as inaccessible by @spencerschrock in #4747
• 🌱 chore: Add Hiero's hiero-did-sdk-js and hiero-hederium by @jwagantall in #4743
• 🐛 delete broken slsa-goreleaser workflow by @martincostello in #4776
• 🌱 migrate to golangci-lint v2 by @spencerschrock in #4641
• 🌱 Adds new Chromium dependencies to cron scan config. by @renewitt in #4794
• 🌱 migrate tablewriter dependency to v1 new API by @spencerschrock in #4796

New Contributors

• @tylerauerbeck made their first contribution in #4645
• @dsm23 made their first contribution in #4664
• @Ndacyayisenga-droid made their first contribution in #4666
• @ralphbean made their first contribution in #4674
• @harekrishnarai made their first contribution in #4678
• @trask made their first contribution in #4699
• @dcaine125 made their first contribution in #4714
• @mark-adams made their first contribution in #4728
• @jakbrownbytes made their first contribution in #4732
• @kailealee made their first contribution in #4708
• @scottschreckengaust made their first contribution in #4739
• @devon3583 made their first contribution in #4731
• @scop made their first contribution in #4750
• @jwagantall made their first contribution in #4743
• @Fix3dP0int made their first contribution in #4665
• @deivid-rodriguez made their first contribution in #4801

Full Changelog: v5.2.1...v5.3.0