Spencer Schrock

Scorecard still looks at 30 commits (or whatever `commitsToAnalyze` is set to). The number being reported refers to the number of commits in the 30 pulled which have a PR...

Is this still something we're considering? Dependabot doesn't appear to have an ETA for the feature https://github.com/github/roadmap/issues/148

I can take a look at this

My plan is to expand the graphQL API call to fetch all the check info in the initial API call. Something like this: ``` query { repository(owner:"ossf", name:"scorecard") { object(expression:...

> We basically need to make the ListChecksRunsForRef call for all commits returned by ListCommits which is what makes this check expensive Yep. That's what I was hoping to avoid...

Luckily the [Github GraphQL API Explorer](https://docs.github.com/en/graphql/overview/explorer) also provides cost info. Getting the checks run on normal commits is pretty cheap (`cost: 1`). ~~The way I'm getting the checks for each...

The SAST check has been enabled as part of #2223. The next BigQuery cron job to pick it up will be the 9/5/22 run and the data should be available...

Wrapping up tests for the commit for the original issue. can take a look at the cron job after

> I highly suspect this line of code here: https://github.com/ossf/scorecard/blob/main/remediation/remediations.go#L47 👍 The problem is removing the `once.Do` code would fix the issue with "stale" repo/branch names, but it introduces data...

> Just a thought: remediation should belong in checks/evaluation instead of being a separate package (also maybe don't expose the remediation related fns)? If every check generates its own remediation,...