Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: ossf/scorecard-action
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.3.3
Choose a base ref
...
head repository: ossf/scorecard-action
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v2.4.0
Choose a head ref
3 contributors

Commits on May 13, 2024

  1. 🌱 Bump golang from 1.22.2 to 1.22.3 in the docker-images group (#1380) 

    Bumps the docker-images group with 1 update: golang.


Updates `golang` from 1.22.2 to 1.22.3

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: docker-images
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored May 13, 2024
    Loading
    Loading status checks…

    Verified

    This commit was signed with the committer’s verified signature.
    crazy-max CrazyMax
    GPG key ID: ADE44D8C9D44FBE4
    Verified
    Learn about vigilant mode
    Copy the full SHA
    6451974 View commit details

Commits on May 14, 2024

  1. 🌱 Bump the github-actions group with 2 updates (#1379) 

    Bumps the github-actions group with 2 updates: [github/codeql-action](https://github.com/github/codeql-action) and [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action).


Updates `github/codeql-action` from 3.25.3 to 3.25.5
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@d39d31e...b7cec75)

Updates `golangci/golangci-lint-action` from 5.3.0 to 6.0.1
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@38e1018...a4f60bb)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored May 14, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    c64f0a7 View commit details

Commits on May 29, 2024

  1. 🌱 Bump the github-actions group across 1 directory with 3 updates (#1385 

    )

Bumps the github-actions group with 3 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [github/codeql-action](https://github.com/github/codeql-action) and [step-security/harden-runner](https://github.com/step-security/harden-runner).


Updates `actions/checkout` from 4.1.5 to 4.1.6
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@44c2b7a...a5ac7e5)

Updates `github/codeql-action` from 3.25.5 to 3.25.6
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@b7cec75...9fdb3e4)

Updates `step-security/harden-runner` from 2.7.1 to 2.8.0
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@a4aa98b...f086349)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored May 29, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    7699f53 View commit details

Commits on Jun 5, 2024

  1. 🌱 Bump github/codeql-action (#1388) 

    Bumps the github-actions group with 1 update in the / directory: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 3.25.6 to 3.25.8
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@9fdb3e4...2e230e8)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Jun 5, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    b8000e8 View commit details

  2. 🌱 Bump golang.org/x/net from 0.25.0 to 0.26.0 (#1389) 

    Bumps [golang.org/x/net](https://github.com/golang/net) from 0.25.0 to 0.26.0.
- [Commits](golang/net@v0.25.0...v0.26.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Jun 5, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    641740c View commit details

Commits on Jun 11, 2024

  1. 🌱 Bump golang from 1.22.3 to 1.22.4 in the docker-images group (#1390) 

    Bumps the docker-images group with 1 update: golang.


Updates `golang` from 1.22.3 to 1.22.4

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: docker-images
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Jun 11, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    d0985f8 View commit details

  2. 🌱 Bump the github-actions group with 2 updates (#1391) 

    Bumps the github-actions group with 2 updates: [step-security/harden-runner](https://github.com/step-security/harden-runner) and [actions/dependency-review-action](https://github.com/actions/dependency-review-action).


Updates `step-security/harden-runner` from 2.8.0 to 2.8.1
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f086349...17d0e2b)

Updates `actions/dependency-review-action` from 4.3.2 to 4.3.3
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@0c155c5...72eb03d)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Jun 11, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    0a8153a View commit details

Commits on Jun 26, 2024

  1. 🌱 Bump github.com/hashicorp/go-retryablehttp (#1396) 

    Bumps [github.com/hashicorp/go-retryablehttp](https://github.com/hashicorp/go-retryablehttp) from 0.7.5 to 0.7.7.
- [Changelog](https://github.com/hashicorp/go-retryablehttp/blob/main/CHANGELOG.md)
- [Commits](hashicorp/go-retryablehttp@v0.7.5...v0.7.7)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-retryablehttp
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Jun 26, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    e240506 View commit details

  2. 🌱 Bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#1392) 

    Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.8.0 to 1.8.1.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](spf13/cobra@v1.8.0...v1.8.1)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Jun 26, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    09f6ba3 View commit details

Commits on Jul 1, 2024

  1. 🌱 Bump the github-actions group across 1 directory with 2 updates (#1397 

    )

Bumps the github-actions group with 2 updates in the / directory: [actions/checkout](https://github.com/actions/checkout) and [github/codeql-action](https://github.com/github/codeql-action).


Updates `actions/checkout` from 4.1.6 to 4.1.7
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@a5ac7e5...692973e)

Updates `github/codeql-action` from 3.25.8 to 3.25.11
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@2e230e8...b611370)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Jul 1, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    8c9e2c1 View commit details

Commits on Jul 10, 2024

  1. docs: dogfooding badge (#1399) 

    Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
    @jkowalleck
    jkowalleck authored Jul 10, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    a4737bf View commit details

  2. 🌱 Bump golang.org/x/net from 0.26.0 to 0.27.0 (#1400)

    @dependabot
    dependabot[bot] authored Jul 10, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    82bcb91 View commit details

  3. 🌱 Bump the docker-images group with 2 updates (#1401)

    @dependabot
    dependabot[bot] authored Jul 10, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    54cc1fe View commit details

  4. 🌱 Bump the github-actions group across 1 directory with 2 updates (#1404 

    )
    @dependabot
    dependabot[bot] authored Jul 10, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    873d5fd View commit details

Commits on Jul 15, 2024

  1. 🌱 Bump the github-actions group with 2 updates (#1408)

    @dependabot
    dependabot[bot] authored Jul 15, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    a8eaa1b View commit details

  2. 🌱 Bump golang in the docker-images group (#1407)

    @dependabot
    dependabot[bot] authored Jul 15, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    9fc518d View commit details

Commits on Jul 19, 2024

  1. bump scorecard to v5.0.0 release (#1410) 

    Signed-off-by: Spencer Schrock <sschrock@google.com>
    @spencerschrock
    spencerschrock authored Jul 19, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    a46b90b View commit details

Commits on Jul 22, 2024

  1. 🌱 Bump the github-actions group with 2 updates (#1412)

    @dependabot
    dependabot[bot] authored Jul 22, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    de5fcb9 View commit details

  2. 🌱 Bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.3.0 (#1413)

    @dependabot
    dependabot[bot] authored Jul 22, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    cf8594c View commit details

Commits on Jul 23, 2024

  1. lower license score alert threshold to 9 (#1411) 

    When the threshold was introduced, the license check was a boolean
check: 0 points for no license, and 10 points with a license. This
later changed as covered in ossf/scorecard#1369

As the last point relies on SPDX detection, it's often flaky. Lowering
the threshold allows us to still warn if a license isn't detected but
not expect perfection.

Signed-off-by: Spencer Schrock <sschrock@google.com>
    @spencerschrock
    spencerschrock authored Jul 23, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    c09630c View commit details

Commits on Jul 26, 2024

  1. bump docker tag to v2.4.0 for release (#1414) 

    The main change is the Scorecard bump to v5.0.0, which includes
maintainer annotations which will affect the SARIF produced by this
action.

For full details see the release notes:
https://github.com/ossf/scorecard/releases/tag/v5.0.0

Signed-off-by: Spencer Schrock <sschrock@google.com>
    @spencerschrock
    spencerschrock authored Jul 26, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    62b2cac View commit details
8 changes: 4 additions & 4 deletions .github/workflows/codeql-analysis.yml
View file
Original file line number Diff line number Diff line change
@@ -35,11 +35,11 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
@@ -50,7 +50,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
@@ -64,4 +64,4 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
6 changes: 3 additions & 3 deletions .github/workflows/dependency-review.yml
View file
Original file line number Diff line number Diff line change
@@ -31,11 +31,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: 'Checkout Repository'
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: 'Dependency Review'
uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2
uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
2 changes: 1 addition & 1 deletion .github/workflows/docker-image.yml
View file
Original file line number Diff line number Diff line change
@@ -13,6 +13,6 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Build the Docker image
run: docker build . --file Dockerfile
6 changes: 3 additions & 3 deletions .github/workflows/golangci.yml
View file
Original file line number Diff line number Diff line change
@@ -16,12 +16,12 @@ jobs:
matrix:
os: [ ubuntu-latest ]
steps:
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: go.mod
cache: false # golangci/golangci-lint-action maintains its own cache
- uses: golangci/golangci-lint-action@38e1018663fa5173f3968ea0777460d3de38f256 # v5.3.0
- uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
with:
version: v1.55.2
only-new-issues: true
6 changes: 3 additions & 3 deletions .github/workflows/scorecards.yml
View file
Original file line number Diff line number Diff line change
@@ -16,7 +16,7 @@ jobs:

steps:
- name: "Checkout code"
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

@@ -31,14 +31,14 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
with:
sarif_file: results.sarif
8 changes: 4 additions & 4 deletions .github/workflows/tests.yaml
View file
Original file line number Diff line number Diff line change
@@ -17,8 +17,8 @@ jobs:
permissions:
id-token: write # Needed to pick up on signing with a GitHub workflow identity.
steps:
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: go.mod
cache: true
@@ -38,8 +38,8 @@ jobs:
matrix:
os: [ ubuntu-latest ]
steps:
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: go.mod
cache: true
4 changes: 2 additions & 2 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -22,7 +22,7 @@
# -e GITHUB_REPOSITORY="ossf/scorecard" \
# laurentsimon/scorecard-action:latest

FROM golang:1.22.2@sha256:d5302d40dc5fbbf38ec472d1848a9d2391a13f93293a6a5b0b87c99dc0eaa6ae AS builder
FROM golang:1.22.5@sha256:829eff99a4b2abffe68f6a3847337bf6455d69d17e49ec1a97dac78834754bd6 AS builder
WORKDIR /src
ENV CGO_ENABLED=0
COPY go.* ./
@@ -35,7 +35,7 @@ ARG TARGETARCH
RUN CGO_ENABLED=0 make build

# Need root for GitHub Actions support
FROM gcr.io/distroless/base@sha256:786007f631d22e8a1a5084c5b177352d9dcac24b1e8c815187750f70b24a9fc6
FROM gcr.io/distroless/base@sha256:1aae189e3baecbb4044c648d356ddb75025b2ba8d14cdc9c2a19ba784c90bfb9
COPY --from=build /src/scorecard-action /
COPY policies/template.yml /policy.yml
ENTRYPOINT [ "/scorecard-action" ]
2 changes: 1 addition & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# NOTE: Keep this in sync with go.mod for ossf/scorecard.
LDFLAGS=-X sigs.k8s.io/release-utils/version.gitVersion=v5.0.0-rc2 -X sigs.k8s.io/release-utils/version.gitCommit=7ce8609469289d5f3b1bf5ee3122f42b4e3054fb -w -extldflags \"-static\"
LDFLAGS=-X sigs.k8s.io/release-utils/version.gitVersion=v5.0.0 -X sigs.k8s.io/release-utils/version.gitCommit=ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4 -w -extldflags \"-static\"

build: ## Runs go build on repo
# Run go build and generate scorecard executable
2 changes: 2 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# Scorecards' GitHub action
[![CodeQL](https://github.com/ossf/scorecard-action/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/ossf/scorecard-action/actions/workflows/codeql-analysis.yml)
[![codecov](https://codecov.io/gh/ossf/scorecard-action/branch/main/graph/badge.svg?token=MAXISWR53I)](https://codecov.io/gh/ossf/scorecard-action)
[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/ossf/scorecard-action/badge)](https://scorecard.dev/viewer/?uri=github.com/ossf/scorecard-action)

> Official GitHub Action for [OSSF Scorecards](https://github.com/ossf/scorecard).
The Scorecards GitHub Action is free for all public repositories. Private repositories are supported if they have [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security). Private repositories without GitHub Advanced Security can run Scorecards from the command line by following the [standard installation instructions](https://github.com/ossf/scorecard#using-scorecards-1).
2 changes: 1 addition & 1 deletion action.yaml
View file
Original file line number Diff line number Diff line change
@@ -53,4 +53,4 @@ branding:

runs:
using: "docker"
image: "docker://gcr.io/openssf/scorecard-action:v2.3.3"
image: "docker://gcr.io/openssf/scorecard-action:v2.4.0"
176 changes: 91 additions & 85 deletions go.mod
View file

Large diffs are not rendered by default.

480 changes: 244 additions & 236 deletions go.sum
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion policies/template.yml
View file
Original file line number Diff line number Diff line change
@@ -27,7 +27,7 @@ policies:
score: 10
mode: enforced
License:
score: 10
score: 9
mode: enforced
Pinned-Dependencies:
score: 10