What's Changed

General

• ✨ Scorecard can now generate its output as an in-toto statement by specifying --format=intoto (#4491, @puerco)
• ✨ Improved the performance of --file-mode git (#4563, @spencerschrock)
• 🐛 Ensure artifactLocation in sarif output are escaped by @xhochy in #4619
• ✨ Scorecard now supports configuration files ending in either .yml or .yaml (#4568, @ratancs)
• 🌱 Go 1.23.0 is now required to build Scorecard or use it as a library. (#4547, @spencerschrock)

Checks

CI-Tests

• 🐛 Fixed detection for Cirrus CI (#4564, @spencerschrock)

Contributors

• ✨ Users listed in CODEOWNERS file in GitHub repos now contribute to Contributors check (#4611, @lharrison13)

SAST

• 🐛 SAST: Fixed an issue with Sonar Cloud not being detected due to a renamed GitHub app. (#4541, @spencerschrock)

Probes

• ✨ Added independent probe that checks for ecosystem specific non-memory safety practices in the codebase and flags them. (#4499, @balteravishay)

Documentation

• 📖 Fix grammar in maintained check messages. (#4618, @martincostello)
• 📖 Fix GitHub Actions badges in README.md by @PeterDaveHello in #4592
• 📖 MAINTAINERS: Reflect active project contributors and affiliations by @justaugustus in #4521

New Contributors

• @puerco made their first contribution in #4491
• @ratancs made their first contribution in #4568
• @PeterDaveHello made their first contribution in #4592
• @rscohn2 made their first contribution in #4596
• @llindsaya made their first contribution in #4605
• @xhochy made their first contribution in #4619
• @ryjones made their first contribution in #4628
  Full Changelog: v5.1.1...v5.2.0