Azeem Shaikh

Interesting find. For some reason the commitSHA points to a commit in scorecard-action repo - https://github.com/ossf/scorecard-action/commit/3155d134e59d8f47261b1ae9d143034c69572227. Need to investigate more. Thanks for the report.

See #1709. We could use `go-git` here to get any git-related context for local repos. Would be a helpful improvement to the tool if you'd like to tackle this.

@naveensrinivasan in our last sync you mentioned this PR needs more work. Let us know when this is ready for review.

One idea might be to have the `Score` field to be a pointer. That way a `nil` value can indicate NA instead of `-1` which we today use to indicate...

One item I would add here is deprecation of v1 (pass/fail) code in this release.

- #1393

Adding few more: - #1618 - #1597 - #1032 - #575 - #1537 - #271 - #1389 - #1245

Updating this after discussion on the bi-weekly. @justaugustus to add an issue about release process for Scorecard along with the items mentioned above.

@ossf/scorecard-maintainers - we have most features implemented here to start thinking about having a v5 release. What do folks think? @justaugustus your input here as the release manager for Scorecard...

@georgettica @laurentsimon could we start with checking for `*_test.go` files in the repository which contain functions matching the regex `func Fuzz* (* \*testing.F)` ? Would that be a good start...