spencerschrock
commented
4 months ago A full score as SonarCloud runs on every commit to master
Currently, Scorecard only awards points for SAST run on a PR before merge, not after merge.
Maybe also a better indication of which commits the tooling is missing / is detected to be missing.
At one time you could pass --show-details and --verbosity debug to see this, but I believe this was lost in the transition.
Here is what Scorecard currently sees for HEAD, looking back 30 commits at the PRs they came from.
PR: 7640 checked: false
PR: 6772 checked: false
PR: 7585 checked: false
PR: 7630 checked: false
PR: 7629 checked: false
PR: 7626 checked: false
PR: 7625 checked: false
PR: 7620 checked: false
PR: 7611 checked: false
PR: 7614 checked: false
PR: 7617 checked: false
PR: 7619 checked: false
PR: 7618 checked: false
PR: 7616 checked: false
PR: 7610 checked: false
PR: 7609 checked: false
PR: 7598 checked: false
PR: 7596 checked: true
PR: 7601 checked: false
PR: 7599 checked: false
PR: 7540 checked: true
PR: 7595 checked: false
PR: 7591 checked: false
PR: 7590 checked: true
PR: 7581 checked: false
PR: 7584 checked: false
PR: 7587 checked: false
PR: 7588 checked: true
PR: 7589 checked: false
PR: 7586 checked: false
matmair
Describe the bug We have SonarCloud enabled on the repo for a long time now and got a full SAST score accordingly. Now the score is very low but we did not change anything in the settings.
Reproduction steps Steps to reproduce the behavior:
Expected behavior A full score as SonarCloud runs on every commit to master. Maybe also a better indication of which commits the tooling is missing / is detected to be missing.
Additional context Latest scorecard run is here: https://github.com/inventree/InvenTree/actions/runs/9902504293/job/27356513547