Closed godofredoc closed 1 year ago
Interesting. Not sure what's going on here. I think we need a way to add debug input to the output. Created https://github.com/ossf/scorecard-action/issues/176 for tracking
The alert information is included in the SARIF file, is caching used somewhere in between calling scorecards and the generation of the SARIF file?
There's no caching. We always run scorecard and create the SARIF for each run.
Awesome, thanks!
Are you still seeing this problem?
It replicates with gcr.io/openssf/scorecard@sha256:8165ad910019422f40c51cbb97ff6e7db0e2e2e11faebf59e0b6f1a2eb66ebd7
but not with the latest images. Seems like it will also get fixed with the next update.
Great, so you'll get the fix in the next release.
This has been fixed, thanks @laurentsimon!
The scorecard action is reporting that most of the PRs are not running tests even though running scorecard command reports that 30/30 tests ran tests correctly:
Image from security tab report as generated by scorecard action:
Data from running the check with the same PAT as the action: