Scorecard - v4.6.0

What's Changed

• ✨ Enhancement: adding new entries for GH actions & Pub as ecosystems, typo fixes by @aidenwang9867 in https://github.com/ossf/scorecard/pull/2109
• feat: Add pom.xml support for sonarype SAST by @laurentsimon in https://github.com/ossf/scorecard/pull/2114
• ✨ Enhancement: Dependency-diff API optimization - changing the input param changeType from a map to an array by @aidenwang9867 in https://github.com/ossf/scorecard/pull/2111
• :seedling: Bump gocloud.dev from 0.25.0 to 0.26.0 by @dependabot in https://github.com/ossf/scorecard/pull/2121
• :seedling: Bump nick-invision/retry from 2.6.0 to 2.8.0 by @dependabot in https://github.com/ossf/scorecard/pull/2122
• 📖 Include an example query for the public BigQuery dataset by @spencerschrock in https://github.com/ossf/scorecard/pull/2123
• :seedling: Bump actions/cache from 3.0.5 to 3.0.6 by @dependabot in https://github.com/ossf/scorecard/pull/2127
• :seedling: Bump cloud.google.com/go/bigquery from 1.36.0 to 1.37.0 by @dependabot in https://github.com/ossf/scorecard/pull/2126
• :seedling: Bump nick-invision/retry from 2.8.0 to 2.8.1 by @dependabot in https://github.com/ossf/scorecard/pull/2130
• 🌱 github actions cleanup and set to get the latest go available by @cpanato in https://github.com/ossf/scorecard/pull/2135
• 🌱 Limit access to registered checks by @spencerschrock in https://github.com/ossf/scorecard/pull/2134
• ✨ support for SLSA provenance in Signed-Release by @laurentsimon in https://github.com/ossf/scorecard/pull/2131
• :sparkles: Feature: Improve Dependabot detection through PRs by @qequ in https://github.com/ossf/scorecard/pull/2125
• :sparkles: Support OneFuzz in fuzzing checks by @balteravishay in https://github.com/ossf/scorecard/pull/2141
• :bug: Fix bug 2051 by @varunsh-coder in https://github.com/ossf/scorecard/pull/2140
• :seedling: Bump actions/cache from 3.0.6 to 3.0.7 by @dependabot in https://github.com/ossf/scorecard/pull/2139
• ✨ Favor SLSA provenance over plain signature in Signed-Release by @laurentsimon in https://github.com/ossf/scorecard/pull/2144
• :seedling: Bump step-security/harden-runner from 1.4.4 to 1.4.5 by @dependabot in https://github.com/ossf/scorecard/pull/2148
• ✨ Scorecard returns a non-zero exit code if any check has a runtime error by @spencerschrock in https://github.com/ossf/scorecard/pull/2133
• :seedling: Bump cloud.google.com/go/bigquery from 1.37.0 to 1.38.0 by @dependabot in https://github.com/ossf/scorecard/pull/2149
• 🐛 Add scorecard-action to the security-events allowlist in Token Permissions check by @spencerschrock in https://github.com/ossf/scorecard/pull/2153
• 🐛 Remove duplicate projects with different casings by @azeemshaikh38 in https://github.com/ossf/scorecard/pull/2155
• 🐛 Detect recently created Github repositories by @raghavkaul in https://github.com/ossf/scorecard/pull/2151
• ✨ Unflag the --commit option by @azeemshaikh38 in https://github.com/ossf/scorecard/pull/2156
• Use generic generator for SLSA by @laurentsimon in https://github.com/ossf/scorecard/pull/2146
• :seedling: Upgrade to go 1.18 by @naveensrinivasan in https://github.com/ossf/scorecard/pull/2143
• :seedling: Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 by @dependabot in https://github.com/ossf/scorecard/pull/2167
• 🐛 Fix remediation text when Scorecard is run multiple times within a program by @spencerschrock in https://github.com/ossf/scorecard/pull/2168
• 🌱 Update scorecard-action to v2:alpha by @azeemshaikh38 in https://github.com/ossf/scorecard/pull/2171
• ✨ Use sha256 for release hashes by @laurentsimon in https://github.com/ossf/scorecard/pull/2172

New Contributors

• @qequ made their first contribution in https://github.com/ossf/scorecard/pull/2125
• @balteravishay made their first contribution in https://github.com/ossf/scorecard/pull/2141

Full Changelog: https://github.com/ossf/scorecard/compare/v4.5.0...v4.6.0