|
OpenSSF Scorecard report
|
|
|---|---|
|
|
SORT:
|
|
-
|
Dangerous-Workflow
critical
Determines if the project's GitHub Action workflows avoid dangerous patterns.
Reason
|
|
-
|
Binary-Artifacts
high
Determines if the project has generated executable (binary) artifacts in the source repository.
Reason
|
|
-
|
Branch-Protection
high
Determines if the default and release branches are protected with GitHub's branch protection settings.
Reason
|
|
-
|
Code-Review
high
Determines if the project requires code review before pull requests (aka merge requests) are merged.
Reason
|
|
-
|
Dependency-Update-Tool
high
Determines if the project uses a dependency update tool.
Reason
|
|
-
|
Maintained
high
Determines if the project is "actively maintained".
Reason
|
|
-
|
Signed-Releases
high
Determines if the project cryptographically signs release artifacts.
Reason
|
|
-
|
Token-Permissions
high
Determines if the project's workflows follow the principle of least privilege.
Reason
|
|
-
|
Vulnerabilities
high
Determines if the project has open, known unfixed vulnerabilities.
Reason
|
|
-
|
Fuzzing
medium
Determines if the project uses fuzzing.
Reason
|
|
-
|
Packaging
medium
Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.
Reason
|
|
-
|
Pinned-Dependencies
medium
Determines if the project has declared and pinned the dependencies of its build process.
Reason
|
|
-
|
SAST
medium
Determines if the project uses static code analysis.
Reason
|
|
-
|
Security-Policy
medium
Determines if the project has published a security policy.
Reason
|
|
-
|
CI-Tests
low
Determines if the project runs tests before pull requests are merged.
Reason
|
|
-
|
CII-Best-Practices
low
Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.
Reason
|
|
-
|
Contributors
low
Determines if the project has a set of contributors from multiple organizations (e.g., companies).
Reason
|
|
-
|
License
low
Determines if the project has defined a license.
Reason
|