chore(deps): update dependency ossf/scorecard to v5.1.0

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
ossf/scorecard	minor	5.0.0 -> 5.1.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

ossf/scorecard (ossf/scorecard)

v5.1.0

Compare Source

What's Changed

• There is a new --file-mode flag to control how repository files are fetched. (#​4474, @​spencerschrock)
  • The default method if unspecified is --file-mode archive which is what older versions of Scorecard always used.
  • --file-mode git produces the most accurate results for repositories with .gitattributes files at the cost of analysis speed. This currently only supports GitHub but can be expanded to other forges in the future.
• The Scorecard binary name in releases is now consistent across all platforms (#​4520, @​timothysparg)
• Scorecard now prints a warning if multiple GitHub PAT environment variables are set with different values. (#​4483, @​aunovis-heidrich)

Azure DevOps Support (Experimental)

There is now experimental support for Azure DevOps repositories (thanks @​JamieMagee). Most checks should work, but the following checks do not: Branch-Protection, SBOM, and Signed-Releases.

To analyze a repository:

1. Set the SCORECARD_EXPERIMENTAL environment variable to any value.
2. Put your access token in the AZURE_DEVOPS_AUTH_TOKEN environment variable.

Checks

• Enabled Fuzzing, License, Packaging, SAST, and Security-Policy checks when using --local option (#​4423, @​lharrison13)

CI-Tests

• ✨ Add woodpecker as known CI by @​6543 in https://github.com/ossf/scorecard/pull/4336

Contributors

• Contributing organizations are now lexicographically sorted. (#​4436, @​spencerschrock)

Dangerous-Workflow

• When detecting a potential script injection in a GitHub workflow, Scorecard now adds a machine-readable patch to fix the vulnerability. This patch can be applied to your project using git apply or patch -p1 from the repository's root. The patch is currently only visible when running the hasDangerousWorkflowScriptInjection probe directly. (#​4218, @​pnacht)

Fuzzing

• Support detection of fuzzing in Elixir and Gleam through the import of property-based testing modules (#​4408, @​kikofernandez)
• Support detection of fuzzing in Erlang through the import of property-based testing modules (#​4406, @​kikofernandez)

License

• Updates list of supported SDPX licenses to include latest data. (#​4323, @​lelia)

Pinned-Dependencies

• ✨ Support Nuget Pinned Dependency with RestoreLockedMode attribute by @​balteravishay in https://github.com/ossf/scorecard/pull/4351
• ✨ Support Nuget Central Package Management by @​balteravishay in https://github.com/ossf/scorecard/pull/4369

Security-Policy

• Fixed an issue where an org's .github repository was checked for a security policy without the proper authenticated transport by @​jeffmendoza in https://github.com/ossf/scorecard/pull/4259

Signed-Releases

• Included links now link to the artifacts instead of the API details about the artifacts by @​klbynum in https://github.com/ossf/scorecard/pull/4290

Docs

• 📖 Fix typo in branch protections details by @​martincostello in https://github.com/ossf/scorecard/pull/4270
• 📖 Updated Scorecard link in README.md by @​Wavyeli32 in https://github.com/ossf/scorecard/pull/4262
• 📖 Mention rulesets for GitHub Branch-Protection remediation by @​pethers in https://github.com/ossf/scorecard/pull/4316
• 📖 explicitly state both check documentation files are committed by @​spencerschrock in https://github.com/ossf/scorecard/pull/4317
• 📖 clarify project goals and non-goals by @​spencerschrock in https://github.com/ossf/scorecard/pull/4318
• 📖 governance: Add Incubation application submission by @​justaugustus in https://github.com/ossf/scorecard/pull/4200
• 📖 Fix SBOM-Everywhere link by @​evankanderson in https://github.com/ossf/scorecard/pull/4334
• 📖 governance: Add meeting note archives from 2021 through 2024 by @​justaugustus in https://github.com/ossf/scorecard/pull/4482

New Contributors

• @​Wavyeli32 made their first contribution in https://github.com/ossf/scorecard/pull/4262
• @​klbynum made their first contribution in https://github.com/ossf/scorecard/pull/4290
• @​6543 made their first contribution in https://github.com/ossf/scorecard/pull/4336
• @​evankanderson made their first contribution in https://github.com/ossf/scorecard/pull/4334
• @​kikofernandez made their first contribution in https://github.com/ossf/scorecard/pull/4406
• @​lharrison13 made their first contribution in https://github.com/ossf/scorecard/pull/4423
• @​renewitt made their first contribution in https://github.com/ossf/scorecard/pull/4476
• @​aunovis-heidrich made their first contribution in https://github.com/ossf/scorecard/pull/4483
• @​timothysparg made their first contribution in https://github.com/ossf/scorecard/pull/4520

Full Changelog: ossf/scorecard@v5.0.0...v5.1.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/scorecard:5.1.0

📦 Image Reference ghcr.io/uniget-org/tools/scorecard:5.1.0

digest	sha256:4af31130978019e7ee0ea9db747c5456b5ee28555558ef9a073d9c87fb038fb4
vulnerabilities
platform	linux/amd64
size	18 MB
packages	138

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/13302683353.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/13302683353.