Azeem Shaikh

@naveensrinivasan assigning this to you as per yesterday's discussion. Lets come up with a one-pager proposal here to submit in the TAC meeting

I was thinking it would be an int. How do you mean `Commit-ish`?

@raghavkaul Scorecard doesn't analyze all release branches (except in Branch-Protection check), only the default branch. The proposal is to make the analysis on default branch itself to be configurable.

> why not just go with the release tags Primarily because Scorecard by definition is meant to solve a larger scope problem - assess the security posture of a project...

@ossf/scorecard-maintainers are there any concerns if development work on this feature were to start?

> you're asking about just increasing the commit depth, or also passing an older tag as the "start" of the analysis? Both - `--commit` for passing older tag as the...

@theresa-m looking at https://help.sonatype.com/lift, Sonatype Lift seems to be a code analysis tool and not really something that helps with automatic dependency updates?

Sorry for the delay here @N8BWert. I'll try to give my first pass review this weekend or by early next week. Thanks for your patience.

Thanks for the report @pnacht. For this issue and #945 I think the [starter workflow](https://github.com/actions/starter-workflows/blob/main/code-scanning/scorecards.yml) needs to be updated. You mentioned you'd be willing to send a PR, so I'll...

We have e2e tests setup for the GHA - https://github.com/ossf-tests/scorecard-action/blob/main/.github/workflows/scorecards-latest-release.yml. Do you want to test your updates there first?