Bump github.com/ossf/scorecard/v4 from 4.10.5 to 4.12.0

[dependabot]

Bumps github.com/ossf/scorecard/v4 from 4.10.5 to 4.12.0.

Release notes

Sourced from github.com/ossf/scorecard/v4's releases.

v4.12.0

This version of Scorecard supports GitLab repos by default.

This release also adds preliminary support for the scdiff command which can be used to compare changes in Scorecard scores for a repository between versions of Scorecard, as well as probe support for the Security-Policy check.

Finally, this release fixes scoring issues in the Branch-Protection and Pinned-Dependencies checks.

What's Changed

WIP

• ✨ GitLab: Release by @​raghavkaul in #3340
• ✨ [experimental] Probe support for security policy check by @​laurentsimon in #3241

Bug Fixes

• 🐛 Fix Branch-Protection scoring by @​gabibguti in #3251
• 🐛 Forgive job-level permissions by @​pnacht in #3162
• 🐛 Add npm installs to Pinned-Dependencies score by @​gabibguti in #2960

Docs

• 📖 Add release process by @​spencerschrock in #3322
• 📖 Update GitHub documentation links by @​martincostello in #3318
• 📖 Fixed slack badge on README by @​eddie-knight in #3311
• 📖 update docs for webhooks documentation by @​leec94 in #3299
• 📖 Add contributor ladder by @​pnacht in #3246
• 📖 Suggest new score viewer on badge documentation by @​diogoteles08 in #3268
• 📖 Update Branch-Protection admin and non-admin requirements by @​gabibguti, @​pnacht in #2772

New Contributors

• @​ajmalab made their first contribution in ossf/scorecard#3248
• @​eustas made their first contribution in ossf/scorecard#3267
• @​martincostello made their first contribution in ossf/scorecard#3318
• @​thepwagner made their first contribution in ossf/scorecard#3327
• @​aaguiarz made their first contribution in ossf/scorecard#3337

Full Changelog: ossf/scorecard@v4.11.0...v4.12.0

v4.11.0

What's Changed

New

• ✨ Consider haskell-actions/hlint-scan a code scanning action by @​chungyc in ossf/scorecard#2846
• ✨ Detect fuzzing in Haskell by the presence of property tests. by @​chungyc in ossf/scorecard#2843
• ✨ The SAST check will look for workflows with the "github/codeql-action/analyze" action locally instead of the GitHub Search API endpoint by @​spencerschrock in ossf/scorecard#2839
• ✨ Scorecard checks for unpinned dependencies that are retrieved ad-hoc using nuget and dotnet CLIs ("nuget install" and "dotnet add") by @​balteravishay in ossf/scorecard#2779
• ✨ show non-compliant code changes for CI-Tests, Code-Review and SAST checks in --show-details mode by @​ashishkurmi in ossf/scorecard#2835
• ✨ Detect semantic-release as a packaging workflow by @​travi in ossf/scorecard#2964
• ✨ Detect semantic-release as a releasing workflow by @​travi in ossf/scorecard#2989
• ✨ Add support for github GHES by @​patelniketm in ossf/scorecard#2999 and @​rajbos in ossf/scorecard#2788
• ✨ Detect fast-check PBT library for JavaScript Fuzzing by @​dubzzz in ossf/scorecard#3073
• ✨ Run Scorecard on packages hosted at Nuget.org using --nuget=<package>by @​balteravishay in ossf/scorecard#3020

Bug Fixes

• SAST

... (truncated)

Commits

• 7ed886f ✨ GitLab: Release (#3340)
• 76dc144 🌱 E2e Gitlab Issues (#3343)
• a8b255a ✨ [experimental] Probe support for security policy check (#3241)
• f30ff23 Clear all possible token env vars for token accessor test. (#3347)
• b1f3519 🌱 Add e2e test for GitLab repo releases (#3342)
• ebeb0b9 🌱 Bump github.com/google/go-containerregistry
• 4fce356 🌱 Bump github.com/moby/buildkit from 0.12.0 to 0.12.1
• 0130171 📖 Add release process. (#3322)
• 42e000c 🌱 Bump gocloud.dev from 0.32.0 to 0.33.0 (#3338)
• 2df78d9 🌱 Unit tests badge response (#3329)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.