build(deps): bump ossf/scorecard-action from 99c09fe975337306107572b4fdf4db224cf8e2f2 to 4eaacf0543bb3f2c246792bd56e8cdeffafb205a in /.github/workflows#170
Conversation
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 99c09fe975337306107572b4fdf4db224cf8e2f2 to 4eaacf0543bb3f2c246792bd56e8cdeffafb205a. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@99c09fe...4eaacf0) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 4eaacf0543bb3f2c246792bd56e8cdeffafb205a dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
Dependency Update AnalysisSummary: This PR updates one GitHub Action ( Dependency 1:
|
| Check | Result |
|---|---|
| Breaking changes | ✅ None found affecting this repo’s usage |
| Testable in PR | ✅ Yes — workflow is triggered by pull_request (.github/workflows/ci.yml:5-9) |
| Commit verified | ✅ Yes (4eaacf... is GitHub-verified) |
| Pin format | ✅ SHA-pinned |
Changelog highlights (vOLD → vNEW)
- Action bump is in
.github/workflows/ci.yml:100. - Upstream
scorecard-actionv2.4.3release bumps embedded Scorecard engine tov5.3.0and includes docs/maintenance updates. - No explicit CVE IDs or GHSA advisories were listed in
v2.4.3release notes. - Upstream
scorecard v5.3.0notes include security-relevant hardening/behavior updates (for example symlink traversal handling, webhook payload size limiting, and additional dangerous-workflow detections).
Usage in this repository
- Only usage found:
.github/workflows/ci.yml:100. - Inputs used:
results_file: scorecard-results.sarif(.github/workflows/ci.yml:102)results_format: sarif(.github/workflows/ci.yml:103)publish_results: false(.github/workflows/ci.yml:104)
- Output path is consumed by
github/codeql-action/upload-sarif(.github/workflows/ci.yml:106-109).
Compatibility assessment
- The workflow’s consumed interface (action invocation + SARIF output upload) is unchanged; no required new inputs were identified.
- Commit provenance checks pass for the new SHA and it maps to tag
v2.4.3. - CVE-focused assessment:
- Identified vulnerability entries: No CVE/GHSA identifiers in
scorecard-action v2.4.3release notes. - Internal security-impacting changes: Upstream engine changes emphasize safer parsing/analysis behavior and stronger detection logic.
- Risk impact for this repo: Overall risk preserved to slightly reduced for security posture; operationally, the main risk is potential analysis-result drift (more/changed findings), not runtime compromise.
- Potential regressions / attack surface: No new permission scopes in this workflow beyond existing job permissions (
actions: read,contents: read,security-events: write,id-token: writein.github/workflows/ci.yml:88-92). Main regression vector is CI noise/false positives from updated checks.
- Identified vulnerability entries: No CVE/GHSA identifiers in
Labels Applied
No labels applied.
Note
🔒 Integrity filtering filtered 1 item
Integrity filtering activated and filtered the following item during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.
- pr:build(deps): bump ossf/scorecard-action from 99c09fe975337306107572b4fdf4db224cf8e2f2 to 4eaacf0543bb3f2c246792bd56e8cdeffafb205a in /.github/workflows #170 (
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
What is this? | From workflow: Observability Agentic Workflow Entrypoint
Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.
…ws/ossf/scorecard-action-4eaacf0543bb3f2c246792bd56e8cdeffafb205a
|
|
||
| - name: Run Scorecard analysis | ||
| uses: ossf/scorecard-action@99c09fe975337306107572b4fdf4db224cf8e2f2 # v2.4.3 | ||
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 |
There was a problem hiding this comment.
@copilot update the version in the comment as well
There was a problem hiding this comment.
The comment is already correct — both SHAs refer to the same v2.4.3 release. Dependabot pinned to the annotated tag object SHA (99c09fe…) before, and is now using the underlying commit SHA (4eaacf0…) that the tag points to. No version change occurred, so the # v2.4.3 comment remains accurate.
Dependency Update AnalysisSummary: This PR updates ossf/scorecard-action
|
| Check | Result |
|---|---|
| Breaking changes | ✅ None found in this repo usage |
| Testable in PR | ✅ Yes — workflow triggers on pull_request to main (.github/workflows/ci.yml lines 5-9) |
| Commit verified | v2.4.3 annotated tag is cryptographically verified and points to commit 4eaacf...; direct commit-signature status was not available from the MCP commit response |
| Pin format | ✅ SHA-pinned |
Changelog highlights (`v2.4.2` → `v2.4.3`)
scorecard-actionv2.4.3bumps underlyingossf/scorecardengine tov5.3.0.- Notable security-relevant engine changes in
v5.3.0release notes include:- Symlink handling hardening (skip dangling symlinks, detect symlink path traversal in local file mode).
- Dangerous workflow detections expanded (discussion title/body, blocked user fields).
- Pinned-dependency detection improvements and bug fixes (unpinned reusable workflows, docker pin detection, parsing fixes).
- Payload-size limiting in webhook paths (1024 bytes), reducing abuse surface.
- No explicit CVE IDs or GHSA advisories were listed in the action
v2.4.3release body.
Usage in this repository
- Found at
.github/workflows/ci.ymlline 100:uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
- Job context (
scorecardjob):- Inputs:
results_file,results_format: sarif,publish_results: false. - Permissions:
actions: read,contents: read,security-events: write,id-token: write. - Output consumed by
github/codeql-action/upload-sarif.
- Inputs:
- Trigger context: workflow runs on PR events (
opened,synchronize,reopened) targetingmain.
Compatibility + CVE-focused assessment
- Breaking/API compatibility: No action input changes were identified that affect current usage (
results_file,results_format,publish_results). - Security exposure impact for this repo:
- Changes are primarily in static-analysis logic and detection fidelity, not in this repository’s application/runtime path.
- Improved detection logic likely reduces missed-findings risk (especially workflow/pinning patterns).
- No new privileged scopes were introduced in this repo’s workflow by this PR.
- Potential regressions / new attack surface:
- Main risk is CI signal behavior drift (new or noisier findings) due upgraded detection heuristics.
- Operationally low blast radius: Scorecard runs in CI and publishes SARIF; no direct production execution path.
- Overall risk level: low-to-moderate.
Labels Applied
No labels applied.
Reason: based on available MCP data, commit verification was only partially confirmable (verified signed tag -> target commit), while direct commit verification status was not exposed in the commit response. I therefore did not auto-apply oblt-aw/ai/merge-ready.
Note
🔒 Integrity filtering filtered 1 item
Integrity filtering activated and filtered the following item during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.
- pr:build(deps): bump ossf/scorecard-action from 99c09fe975337306107572b4fdf4db224cf8e2f2 to 4eaacf0543bb3f2c246792bd56e8cdeffafb205a in /.github/workflows #170 (
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
What is this? | From workflow: Observability Agentic Workflow Entrypoint
Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
fr4nc1sc0-r4m0n
deleted the
dependabot/github_actions/dot-github/workflows/ossf/scorecard-action-4eaacf0543bb3f2c246792bd56e8cdeffafb205a
branch
Bumps ossf/scorecard-action from 99c09fe975337306107572b4fdf4db224cf8e2f2 to 4eaacf0543bb3f2c246792bd56e8cdeffafb205a.
Changelog
Sourced from ossf/scorecard-action's changelog.
... (truncated)
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)