docs: add Sigstore/SBOM badges, fix Semgrep Scorecard regression#338
Conversation
## Background v0.16.20 added Cosign signing and SBOM but badges were missing. Semgrep pip install caused OpenSSF Scorecard Pinned-Dependencies to drop from 10 to 9. ## Changes - README.md (root): Add Sigstore and SBOM badges after SLSA 3 - docs/i18n/*/README.md (26 languages): Add same badges - extensions/git-id-switcher/README.md: Regenerated from en source - security.yml: Revert to semgrep-action Docker image (SHA-pinned) - .semgrepignore: Exclude sonarcloud.yml (SHA pin false positive) - dependency-review-config.yml: Re-add semgrep-action license exception - CHANGELOG.md: Add 0.16.21 entry - package.json: Bump version 0.16.20 → 0.16.21 🖥️ IDE: [Cursor](https://cursor.sh) 🔌 Extension: [Claude Code](https://claude.ai/download) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Model-Raw: claude-opus-4-6
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
Review Summary by QodoAdd supply chain security badges and fix Semgrep Scorecard regression
WalkthroughsDescription• Add Sigstore (Cosign Signed) and SBOM (CycloneDX) badges to root and 26 language READMEs • Fix OpenSSF Scorecard Pinned-Dependencies regression by reverting to SHA-pinned Docker action • Create .semgrepignore file to exclude SonarCloud workflow from false positive detection • Update version to 0.16.21 and regenerate documentation hashes Diagramflowchart LR
A["Security Workflow"] -->|"Replace pip install"| B["SHA-pinned Docker action"]
B -->|"Restore score"| C["Pinned-Dependencies: 10"]
D["Documentation Files"] -->|"Add badges"| E["Sigstore + SBOM badges"]
E -->|"Render on GitHub"| F["Supply chain visibility"]
G[".semgrepignore"] -->|"Exclude false positive"| H["SonarCloud workflow"]
File Changes2. extensions/git-id-switcher/README.md
|
Code Review by Qodo
1. Semgrep bypasses workflow file
|
|
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |



Summary
.semgrepignorefor SonarCloud Action SHA pin false positiveTest plan
🤖 Generated with Claude Code