I see that there are regular updates in the repo and that tags are getting updated. For some reason these are not getting flagged on github as releases. The last release is showing up as "March 9, 2022" - over four years ago.
It easy for the casual user to read this and presume the project has been abandoned. As a contrast, the updates in https://github.com/bridgecrewio/checkov are showing up as releases in github.
The lack of releases also seems to confuse Mend.IO's renovate - a popular alternative to dependabot.
❗Dependency Lookup Warnings
Renovate failed to look up the following dependencies:
Failed to look up github-tags package bridgecrewio/checkov-action: no-result
This makes it more difficult for folks to follow the security best practice of pinning to gitshas - ironic for a security-focused action. If renovate could understand your tags as releases then I'd say that disabling the release box would be the easiest course.
I see that there are regular updates in the repo and that tags are getting updated. For some reason these are not getting flagged on github as releases. The last release is showing up as "March 9, 2022" - over four years ago.
It easy for the casual user to read this and presume the project has been abandoned. As a contrast, the updates in https://github.com/bridgecrewio/checkov are showing up as releases in github.
The lack of releases also seems to confuse Mend.IO's renovate - a popular alternative to dependabot.
This makes it more difficult for folks to follow the security best practice of pinning to gitshas - ironic for a security-focused action. If renovate could understand your tags as releases then I'd say that disabling the release box would be the easiest course.