Skip to content

ci(deps): Bump ossf/scorecard-action from 2.3.1 to 2.4.2#4

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/ossf/scorecard-action-2.4.2
Closed

ci(deps): Bump ossf/scorecard-action from 2.3.1 to 2.4.2#4
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/ossf/scorecard-action-2.4.2

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Aug 20, 2025
edited
Loading

Bumps ossf/scorecard-action from 2.3.1 to 2.4.2.

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.2

What's Changed

This update bumps the Scorecard version to the v5.2.1 release. For a complete list of changes, please refer to the Scorecard v5.2.0 and v5.2.1 release notes.

Full Changelog: ossf/scorecard-action@v2.4.1...v2.4.2

v2.4.1

What's Changed

  • This update bumps the Scorecard version to the v5.1.1 release. For a complete list of changes, please refer to the v5.1.0 and v5.1.1 release notes.
  • Publishing results now uses half the API quota as before. The exact savings depends on the repository in question.
  • Some errors were made into annotations to make them more visible
  • There is now an optional file_mode input which controls how repository files are fetched from GitHub. The default is archive, but git produces the most accurate results for repositories with .gitattributes files at the cost of analysis speed.
  • The underlying container for the action is now hosted on GitHub Container Registry. There should be no functional changes.

Docs

New Contributors

v2.4.0

What's Changed

This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the v5.0.0 release notes. Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation.

Documentation

New Contributors

Full Changelog: ossf/scorecard-action@v2.3.3...v2.4.0

v2.3.3

[!NOTE]
There is no v2.3.2 release as a step was skipped in the release process. This was fixed and re-released under the v2.3.3 tag

What's Changed

... (truncated)

Commits
  • 05b42c6 🌱 bump docker to ghcr v2.4.2 (#1548)
  • b225da6 Bump github.com/ossf/scorecard/v5 from v5.2.0 to v5.2.1 (#1550)
  • 9399f6f 🌱 Bump the docker-images group across 1 directory with 2 updates (#1...
  • e1daa8c 🌱 Bump the github-actions group across 1 directory with 5 updates (#...
  • 9fe6511 🌱 Bump golang.org/x/net from 0.39.0 to 0.40.0 (#1542)
  • 25b9cd9 🌱 Bump github.com/ossf/scorecard/v5 from v5.1.1 to v5.2.0 (#1547)
  • 18cc9b8 🌱 Bump golang.org/x/net from 0.38.0 to 0.39.0 (#1536)
  • db78142 🌱 Bump the github-actions group with 2 updates (#1538)
  • de386ed 🌱 Bump golang from 1.24.1 to 1.24.2 in the docker-images group (#1534)
  • 5b7cedb 🌱 Bump github.com/sigstore/cosign/v2 from 2.4.3 to 2.5.0 (#1537)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github Aug 20, 2025

Assignees

The following users could not be added as assignees: edelwud/platform-team. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/ossf/scorecard-action-2.4.2 branch from 873dd8a to a8bbb6f Compare August 20, 2025 18:23
@dependabot
ci(deps): Bump ossf/scorecard-action from 2.3.1 to 2.4.2
b146719 
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.1 to 2.4.2.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](ossf/scorecard-action@v2.3.1...v2.4.2)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-version: 2.4.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/ossf/scorecard-action-2.4.2 branch from a8bbb6f to b146719 Compare August 25, 2025 09:58
github-advanced-security[bot]
github-advanced-security AI found potential problems Aug 25, 2025
View reviewed changes
Comment thread .github/workflows/security.yml

- name: Run OSSF Scorecard
uses: ossf/scorecard-action@v2.3.1
uses: ossf/scorecard-action@v2.4.2

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 0: third-party GitHubAction not pinned by hash
Click Remediation section below to solve this issue
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Aug 25, 2025

📊 Coverage Report

Coverage

Overall Coverage: 68.4%

📋 Detailed Coverage by Package 
github.com/edelwud/vm-proxy-auth/cmd/gateway/main.go:32:						main					0.0%
github.com/edelwud/vm-proxy-auth/cmd/gateway/main.go:162:						showVersionInfo				0.0%
github.com/edelwud/vm-proxy-auth/cmd/gateway/main.go:173:						showValidationSuccess			0.0%
github.com/edelwud/vm-proxy-auth/internal/config/config.go:86:						Load					83.3%
github.com/edelwud/vm-proxy-auth/internal/config/config.go:111:						loadFromEnv				92.9%
github.com/edelwud/vm-proxy-auth/internal/config/config.go:141:						validate				80.0%
github.com/edelwud/vm-proxy-auth/internal/config/config.go:153:						setDefaults				100.0%
github.com/edelwud/vm-proxy-auth/internal/config/config.go:161:						setServerDefaults			87.5%
github.com/edelwud/vm-proxy-auth/internal/config/config.go:176:						setUpstreamDefaults			100.0%
github.com/edelwud/vm-proxy-auth/internal/config/config.go:200:						setAuthDefaults				87.5%
github.com/edelwud/vm-proxy-auth/internal/config/config.go:215:						setMetricsDefaults			100.0%
github.com/edelwud/vm-proxy-auth/internal/config/config.go:221:						setLoggingDefaults			75.0%
github.com/edelwud/vm-proxy-auth/internal/domain/errors.go:32:						NewAppError				0.0%
github.com/edelwud/vm-proxy-auth/internal/domain/errors.go:42:						NewUnauthorizedError			0.0%
github.com/edelwud/vm-proxy-auth/internal/domain/errors.go:47:						NewForbiddenError			0.0%
github.com/edelwud/vm-proxy-auth/internal/domain/errors.go:52:						NewBadRequestError			0.0%
github.com/edelwud/vm-proxy-auth/internal/domain/errors.go:57:						NewUpstreamError			0.0%
github.com/edelwud/vm-proxy-auth/internal/domain/errors.go:62:						NewInternalError			0.0%
github.com/edelwud/vm-proxy-auth/internal/domain/errors.go:66:						Error					66.7%
github.com/edelwud/vm-proxy-auth/internal/domain/errors.go:74:						Unwrap					0.0%
github.com/edelwud/vm-proxy-auth/internal/domain/types.go:30:						String					100.0%
github.com/edelwud/vm-proxy-auth/internal/domain/types.go:155:						IsValid					100.0%
github.com/edelwud/vm-proxy-auth/internal/handlers/gateway.go:35:					NewGatewayHandler			100.0%
github.com/edelwud/vm-proxy-auth/internal/handlers/gateway.go:54:					ServeHTTP				68.8%
github.com/edelwud/vm-proxy-auth/internal/handlers/gateway.go:115:					processRequest				47.8%
github.com/edelwud/vm-proxy-auth/internal/handlers/gateway.go:171:					extractToken				85.7%
github.com/edelwud/vm-proxy-auth/internal/handlers/gateway.go:185:					extractQuery				14.3%
github.com/edelwud/vm-proxy-auth/internal/handlers/gateway.go:221:					isQueryEndpoint				80.0%
github.com/edelwud/vm-proxy-auth/internal/handlers/gateway.go:239:					isWriteEndpoint				28.6%
github.com/edelwud/vm-proxy-auth/internal/handlers/gateway.go:259:					writeResponse				83.3%
github.com/edelwud/vm-proxy-auth/internal/handlers/gateway.go:273:					writeError				80.0%
github.com/edelwud/vm-proxy-auth/internal/handlers/gateway.go:288:					recordMetrics				100.0%
github.com/edelwud/vm-proxy-auth/internal/handlers/gateway.go:299:					generateRequestID			100.0%
github.com/edelwud/vm-proxy-auth/internal/handlers/gateway.go:305:					processQueryFiltering			64.3%
github.com/edelwud/vm-proxy-auth/internal/handlers/gateway.go:338:					processTargetTenant			28.6%
github.com/edelwud/vm-proxy-auth/internal/handlers/gateway.go:353:					handleProcessingError			0.0%
github.com/edelwud/vm-proxy-auth/internal/handlers/gateway.go:374:					getUserLogger				75.0%
github.com/edelwud/vm-proxy-auth/internal/handlers/health.go:18:					NewHealthHandler			100.0%
github.com/edelwud/vm-proxy-auth/internal/handlers/health.go:26:					ServeHTTP				100.0%
github.com/edelwud/vm-proxy-auth/internal/handlers/health.go:31:					Health					100.0%
github.com/edelwud/vm-proxy-auth/internal/handlers/health.go:42:					Readiness				0.0%
github.com/edelwud/vm-proxy-auth/internal/handlers/health.go:53:					writeJSON				60.0%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:16:				NewStructuredLogger			0.0%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:56:				Debug					0.0%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:60:				Info					0.0%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:64:				Warn					0.0%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:68:				Error					0.0%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:72:				With					0.0%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:89:				logWithFields				0.0%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:101:				String					0.0%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:105:				Int					0.0%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:109:				Duration				100.0%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:113:				Error					66.7%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:121:				UserID					100.0%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:125:				RequestID				100.0%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:129:				Path					100.0%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:133:				Method					100.0%
github.com/edelwud/vm-proxy-auth/internal/infrastructure/logger/logger.go:137:				StatusCode				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/access/service.go:16:				NewService				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/access/service.go:23:				CanAccess				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/access/service.go:44:				isWriteOperation			88.9%
github.com/edelwud/vm-proxy-auth/internal/services/access/service.go:71:				isRestrictedPath			100.0%
github.com/edelwud/vm-proxy-auth/internal/services/access/service.go:89:				isAdmin					100.0%
github.com/edelwud/vm-proxy-auth/internal/services/auth/jwks.go:43:					NewJWKSFetcher				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/auth/jwks.go:55:					GetPublicKey				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/auth/jwks.go:75:					fetchJWKS				91.7%
github.com/edelwud/vm-proxy-auth/internal/services/auth/jwks.go:118:					jwkToRSAPublicKey			100.0%
github.com/edelwud/vm-proxy-auth/internal/services/auth/jwt_verifier.go:22:				NewJWTVerifier				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/auth/jwt_verifier.go:31:				NewJWKSVerifier				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/auth/jwt_verifier.go:53:				VerifyToken				88.9%
github.com/edelwud/vm-proxy-auth/internal/services/auth/jwt_verifier.go:72:				keyFunc					100.0%
github.com/edelwud/vm-proxy-auth/internal/services/auth/jwt_verifier.go:84:				handleRSAKey				60.0%
github.com/edelwud/vm-proxy-auth/internal/services/auth/jwt_verifier.go:99:				handleHMACKey				66.7%
github.com/edelwud/vm-proxy-auth/internal/services/auth/jwt_verifier.go:107:				getKeyFromJWKS				0.0%
github.com/edelwud/vm-proxy-auth/internal/services/auth/jwt_verifier.go:128:				validateClaims				91.7%
github.com/edelwud/vm-proxy-auth/internal/services/auth/service.go:32:					NewService				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/auth/service.go:64:					Authenticate				95.7%
github.com/edelwud/vm-proxy-auth/internal/services/auth/service.go:150:					extractGroups				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/auth/service.go:158:					determineUserPermissions		100.0%
github.com/edelwud/vm-proxy-auth/internal/services/auth/service.go:196:					hasGroupMatch				80.0%
github.com/edelwud/vm-proxy-auth/internal/services/auth/service.go:209:					removeDuplicates			57.1%
github.com/edelwud/vm-proxy-auth/internal/services/auth/service.go:223:					removeDuplicateVMTenants		100.0%
github.com/edelwud/vm-proxy-auth/internal/services/auth/service.go:238:					CleanupCache				0.0%
github.com/edelwud/vm-proxy-auth/internal/services/metrics/service.go:29:				newMetricsSet				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/metrics/service.go:101:				NewService				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/metrics/service.go:129:				Handler					100.0%
github.com/edelwud/vm-proxy-auth/internal/services/metrics/service.go:136:				RecordRequest				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/metrics/service.go:164:				RecordUpstream				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/metrics/service.go:187:				RecordQueryFilter			100.0%
github.com/edelwud/vm-proxy-auth/internal/services/metrics/service.go:210:				RecordAuthAttempt			100.0%
github.com/edelwud/vm-proxy-auth/internal/services/metrics/service.go:220:				RecordTenantAccess			100.0%
github.com/edelwud/vm-proxy-auth/internal/services/proxy/service.go:24:					NewService				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/proxy/service.go:41:					Forward					87.9%
github.com/edelwud/vm-proxy-auth/internal/services/proxy/service.go:150:				buildTargetURL				69.2%
github.com/edelwud/vm-proxy-auth/internal/services/proxy/service.go:182:				prepareRequest				90.9%
github.com/edelwud/vm-proxy-auth/internal/services/proxy/service.go:210:				handleRequestBody			85.7%
github.com/edelwud/vm-proxy-auth/internal/services/proxy/service.go:232:				updateFormDataQuery			83.3%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/filterstrategies/or_query_builder.go:28:	NewORQueryBuilder			100.0%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/filterstrategies/or_query_builder.go:36:	BuildSecureQuery			91.7%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/filterstrategies/or_query_builder.go:72:	createSecureORExpression		100.0%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/filterstrategies/or_query_builder.go:117:	optimizeGroups				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/filterstrategies/or_query_builder.go:170:	deduplicateStrings			100.0%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/filterstrategies/or_query_builder.go:185:	cloneExpression				66.7%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/filterstrategies/or_query_builder.go:199:	injectTenantToExpression		81.8%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/filterstrategies/or_query_builder.go:226:	injectTenantToVectorSelector		92.3%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/filterstrategies/promql_parser.go:19:		NewPromQLTenantInjector			100.0%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/filterstrategies/promql_parser.go:26:		InjectTenantLabels			73.3%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/filterstrategies/promql_parser.go:74:		injectTenantLabelsToVectorSelector	60.0%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/filterstrategies/promql_parser.go:118:	addSingleTenantFilter			100.0%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/service.go:24:				NewService				100.0%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/service.go:38:				FilterQuery				70.0%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/service.go:105:				CanAccessTenant				0.0%
github.com/edelwud/vm-proxy-auth/internal/services/tenant/service.go:123:				DetermineTargetTenant			0.0%
github.com/edelwud/vm-proxy-auth/internal/testutils/mock_logger.go:11:					Debug					0.0%
github.com/edelwud/vm-proxy-auth/internal/testutils/mock_logger.go:14:					Info					0.0%
github.com/edelwud/vm-proxy-auth/internal/testutils/mock_logger.go:17:					Warn					0.0%
github.com/edelwud/vm-proxy-auth/internal/testutils/mock_logger.go:20:					Error					0.0%
github.com/edelwud/vm-proxy-auth/internal/testutils/mock_logger.go:23:					With					100.0%
total:													(statements)				68.4%

Coverage threshold: 70% ❌

@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github Oct 6, 2025

Superseded by #27.

@dependabot dependabot Bot closed this Oct 6, 2025
@dependabot dependabot Bot deleted the dependabot/github_actions/ossf/scorecard-action-2.4.2 branch October 6, 2025 02:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@github-advanced-security