Canlin Guo

Hi. Is anyone looking into this issue? As @jhutchings1 said, we can use the GitHub API for listing Actions workflows to enhance the detection of SAST. Just match the name...

Hi @rkg-mm! I'm not familiar with javascript. Could you please share your thought about why we often don't care the dev vulnerabilities? In my opinion, it seems that dev dependencies...

Thanks for replying. I believe the integration will be with the binary. The MCP Server functions like a REST API, but it's designed for LLMs. We can refer to [GitHub's...

> The Scorecard server being `--serve` referenced in your other issue? Yeah. So MCP and REST API are essentially consistent; they just use different frameworks/protocols. The MCP Server exposes its...

Hi, I found the reson why lead to this result. I'm not sure yet whether this is a bug. In `serve.go`, the line [79](https://github.com/ossf/scorecard/blob/a553e1e6054807e043b607ca089e7b45ba8014db/cmd/serve.go#L79C16-L79C80), the usage of `repoResult.AsJson` is old,...

Thank you for your reply. Due to GitHub token limitations, the Scorecard API service officially deployed is not real-time. Our product relies on a large number of open-source components, and...

Hi! It seems that this issue still exists. For example, in https://scorecard.dev/viewer/?uri=github.com/ossf/scorecard it happens the error `internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration`. But...

@spencerschrock Just a quick side note — do metrics like code review and branch protection really make sense for personal projects? I know that Scorecard mentions in checks.md something like...

@FilipJirsak @ecki Would you mind taking a quick look at this PR when you get a chance? Any feedback would be greatly appreciated!

> Pinning to a full commit SHA can be harder to update; consider using the stable tag (e.g., actions/checkout@v4) for better readability and maintenance. Instead of using stable tag, I...